How to use object level permissions with APIView?

Question

I have a permission class that checks if the obj.account is equal to request.user.profile.account:

class IsOwner(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        return request.user.profile.account == obj.account

And this is the my view:

class ContactDetailView(APIView):
    permission_classes = (IsOwner, )

    def get(self, request, pk, format=None):
        contact = get_object_or_404(Contact, pk=pk)
        serializer = ContactSerializer(contact)

        return Response(
            serializer.data,
        )

But I don't get permission error. It returns the contact data with no problem.

Where is my mistake?

score 8 · Accepted Answer · answered Jan 01 '20 at 19:43

You need to call check_object_permissions method before response:

class ContactDetailView(APIView):
    permission_classes = (IsOwner, )

    def get(self, request, pk, format=None):
        contact = get_object_or_404(Contact, pk=pk)
        serializer = ContactSerializer(contact)
        self.check_object_permissions(request, contact)

        return Response(
            serializer.data,
        )

Note that generic view classes already call it by default. But since you are not using RetrieveAPIView you need to do it manually.

I didn't use one of the generic views because I'm planning to make some customizations on the view. Thanks for your reply, it worked! — Umut Çağdaş Coşkun, Jan 01 '20 at 19:48

How to use object level permissions with APIView?

1 Answers1

Linked