Users can delete views even though they are not allowed

NoNameAnonym · July 16, 2022, 9:40am

In my code, I have the following view:

class PointCountDetails(generics.RetrieveDestroyAPIView):
   serializer_class=PointCountSerializer
   permission_classes=[IsSuperUserOrSafeOnly]

The permission looks as follows:

изображение_2022-07-16_123505861

The problem is that when I surf API as non-admin user, the user is allowed to delete instance of pointcount that is attached to their id. Why is it that if permission doesn’t allow them to delete?

CodenameTim · July 16, 2022, 11:33am

What are the values of each property used in all of the conditions? You can use a debugger or print them to the terminal.

Topic		Replies	Views
DeleteView form_valid is requiring field Forms & APIs	10	1759	August 9, 2022
Is this a secure way to prevent others to delete? Forms & APIs	2	533	April 12, 2022
Delete Ajax (Deleteview) Forms & APIs	1	877	February 27, 2023
django rest framework 🫦 Forms & APIs	2	658	August 30, 2022
Django Rest framework how to apply restriction on public api for unauthenticated users? Forms & APIs	10	4291	June 8, 2022

Users can delete views even though they are not allowed

Related Topics