Django REST multiple permission class not working

MDFARHYN · June 24, 2022, 4:40pm

I have two permission class. IsAuthorGroup will check if the user belongs from the author group and IsOwnerOrReadOnly will restrict the user to performing post and delete if he is not the object’s owner.

But the problem is anyone from IsAuthorGroup performing post and delete request event he isn’t own of the object.

How to restrict anyone from IsAuthorGroup performing post and delete request if he isn’t owner of the object?

here is my code:

class IsAuthorGroup(permissions.BasePermission):
    def has_permission(self, request, view):
        if request.user and request.user.groups.filter(name='AuthorGroup'):
            return True
        return False


class IsOwnerOrReadOnly(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return True

        # Write permissions are only allowed to the owner of the blog.
        return obj.author == request.user or request.user.is_superuser 



class BlogViewSet(viewsets.ModelViewSet):

    queryset = Blog.objects.all()
    serializer_class = BlogSerializer
    pagination_class = BlogPagination
    lookup_field = 'blog_slug'
    permission_classes = [IsOwnerOrReadOnly & IsAuthorGroup]

my serializer.py

class BlogSerializer(serializers.ModelSerializer):
    author_first_name = serializers.CharField(
        source="author.first_name", required=False)
    author_last_name = serializers.CharField(
        source="author.last_name", required=False)

    class Meta:
        model = Blog
        exclude = ("author", "blog_is_published")
        lookup_field = 'blog_slug'
        extra_kwargs = {
            'url': {'lookup_field': 'blog_slug'}
        }

leandrodesouzadev · June 24, 2022, 7:17pm

Hey there!
I never seen the usage of the & operator on permission_classes. Maybe did you mean to put a comma , in there?

MDFARHYN · June 24, 2022, 7:36pm

But the problem is I don’t want to restrict my get method which means If I use [IsOwnerOrReadOnly & IsAuthorGroup] it’s asking me Authentication credentials for get request which I don’t want

leandrodesouzadev · June 24, 2022, 7:40pm

Oh, i see.
So i think you want to implement the get_permissions method.
Take a look into the DRF docs.

MDFARHYN · June 24, 2022, 7:48pm

Thanks my problem is solved. Can you tell me how I can set request.user as my blog autor in django REST. Normally we did something like this in views instance.author == request.user when submitting forms. How I can do something like that in DRF?

leandrodesouzadev · June 24, 2022, 7:57pm

Great.
For this open a new topic relating what you want to achieve, and what’s not going like you want.

MDFARHYN · June 24, 2022, 8:27pm

what will be the action name for viewing data using slug or id? like if self.action == 'list': here list providing list of data.

leandrodesouzadev · June 24, 2022, 8:36pm

It really depends on the view that you are accessing.
But when you do a GET request without the id, it’s called: list. When you give the id: detail.

Here you can read more about it.

MDFARHYN · June 24, 2022, 8:43pm

it’s restring my details view as I am sending get request only

Topic		Replies	Views
Object-sided permissions: Looking for improvements Using Django	1	720	April 21, 2021
Is there some restrictions on using request.user in django rest api? Using Django	8	2602	December 10, 2021
django rest framework 🫦 Forms & APIs	2	747	August 30, 2022
Same user different group permission Getting Started	6	125	June 14, 2024
DRF: best practice to check the user permission inside the object creation method Using Django	1	1621	June 25, 2024

Django REST multiple permission class not working

Related topics