How to restrict so that the author of the post can only see and edit his posts

Question

In this code only the author of the post can edit his post, but how to also make so that the author of the post can see only his posts?

from rest_framework import permissions


class IsAuthorOrReadOnly(permissions.BasePermission):
    def has_permission(self, request, view):
        if request.user.is_authenticated:
            return True
        return False

    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return True
        return obj.author == request.user

Please add a link to useful reading materials

My views.py:

class TaskList(generics.ListCreateAPIView):
# permission_classes = (IsAuthorOrReadOnly,)
queryset = Task.objects.all()
serializer_class = TaskSerializer

class TaskDetail(generics.RetrieveUpdateDestroyAPIView):
# permission_classes = (IsAuthorOrReadOnly,)
queryset = Task.objects.all()
serializer_class = TaskSerializer

ruddra · Accepted Answer · 2023-01-19T15:01:49.687

If you want the author to see his posts, you can simply restrict all users from accessing the object. Like this:

from rest_framework import permissions


class IsAuthorOrReadOnly(permissions.BasePermission):
    def has_permission(self, request, view):
        if request.user.is_authenticated:
            return True
        return False

    def has_object_permission(self, request, view, obj):
        return obj.author == request.user

Now, regardless of any types of request methods, only the author can access the object.

But if you have a list view and you do not want the author to see other posts, you can try like this:

class TaskList(generics.ListCreateAPIView):
    queryset = Task.objects.all()
    serializer_class = TaskSerializer

    def get_queryset(self):
        return super().get_queryset().filter(author=self.request.user)

class TaskDetail(generics.RetrieveUpdateDestroyAPIView):
    queryset = Task.objects.all()
    serializer_class = TaskSerializer

    def get_queryset(self):
        return super().get_queryset().filter(author=self.request.user)

Or combine them in a viewset:

class TaskViewSet(viewsets.ModelViewSet):
    """
    A simple ViewSet for viewing and editing tasks.
    """
    permission_classes = [IsAuthenticated,]
    queryset = Task.objects.all()
    serializer_class = TaskSerializer

    def get_queryset(self):
        return super().get_queryset().filter(author=self.request.user)

More information can be found in documentation

This code is an example, I can rewrite only based on your own implementation. If you can share your view code, then I might be able to help. — ruddra, Jan 19 '23 at 14:39
GenericAPIView.get_queryset() got an unexpected keyword argument 'author' — MegaMind, Jan 19 '23 at 14:55
hello @ruddra the class IsAuthorOrReadOnly is supposed to be where? models, views ...? thanks — logame, Aug 21 '23 at 13:37
You can put it in view, or create a separate py file and put it there in the same module as the view — ruddra, Aug 22 '23 at 00:04

How to restrict so that the author of the post can only see and edit his posts

1 Answers1