suhail areekkan suhail areekkan - 2 months ago 23
Python Question

Custom object permissions not working in django rest framework

I am using custom permission class in django rest APIView and calling check_object_permissions explicitly. but in some api (especially in retrive api) django calling check_object_permission by default. how to override the view to stop implicit calls to check_object_permission.

Code



views.py



class StreamOptionDetails(APIView):
"""
Retrieve, update or delete a snippet instance.
"""

permission_classes = (IsOwnerOrReadOnly,)

def get_object(self, pk):
try:
obj = Stream.objects.get(pk=pk)
self.check_object_permissions(self.request, obj)
return obj
except Stream.DoesNotExist:
raise Http404

def get_option(self, pk):
try:
return StreamOption.objects.get(pk=pk)
except StreamOption.DoesNotExist:
raise Http404

def get(self, request, stream=None, pk=None, format=None):
self.get_object(stream)
stream_option = self.get_option(pk)
serializer = StreamOptionsSerializer(stream_option)
return Response(serializer.data)


error



AttributeError at /streams/2/options/15/
'StreamOption' object has no attribute 'members'
Request Method: GET
Request URL: http://localhost:8000/streams/2/options/15/
Django Version: 1.10
Exception Type: AttributeError
Exception Value:
'StreamOption' object has no attribute 'members
Exception Location:
/home/suh/workspace/distribution/streams/permissions.py in
has_object_permission, line 13


permission.py



from rest_framework import permissions


class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
"""

def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.user.username and request.method in permissions.SAFE_METHODS:
members = obj.members.filter(user=request.user)
if len(members):
return True
# Write permissions are only allowed to the owner of the snippet.
return obj.owner == request.user


how to stop this calls



File "/home/thoughtchimp/.virtualenvs/django-py3/lib/python3.5/site- packages/rest_framework/renderers.py" in get_rendered_html_form
474. if not self.show_form_for_method(view, method, request, instance):

File "/home/thoughtchimp/.virtualenvs/django-py3/lib/python3.5/site-packages/rest_framework/renderers.py" in show_form_for_method
431. view.check_object_permissions(request, obj)

File "/home/thoughtchimp/.virtualenvs/django-py3/lib/python3.5/site-packages/rest_framework/views.py" in check_object_permissions
338. if not permission.has_object_permission(request, self, obj):

Answer Source

finally got the answer added new permission class for StreamOption

permission.py

class IsOwnerOrReadOnlyMember(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to edit it.
    """ 

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if not obj.stream:
            return False
        obj = obj.stream
        if not request.user.is_anonymous() and request.method in permissions.SAFE_METHODS:
            members = obj.members.filter(user=request.user)
            if len(members):
                return True
        # Write permissions are only allowed to the owner of the snippet.
        return obj.owner == request.user