Search code examples
djangodjango-rest-frameworkdjango-permissions

How to edit user permission in Django Rest Framework

I am following the tutorial of django Rest Framework. I want to add user-based permission so that only authenticated user can view each user's detail information. Objective : Anyone can view the UserList, but only owner can view its UserDetail.

models.py

class Meeting(models.Model):
        created = models.DateTimeField(auto_now_add=True)
        sinceWhen = models.DateTimeField(null=True)
        tilWhen = models.DateTimeField(null=True)
        owner = models.ForeignKey('auth.User', related_name='meetings', on_delete=models.CASCADE)
        #highlighted = models.TextField()

        def save(self, *args, **kwargs):
                super(Meeting, self).save(*args, **kwargs)


        class Meta:
                ordering = ('created',)

views.py

from django.contrib.auth.models import User
# User is not created inside models.py

class UserList(generics.ListAPIView):
    queryset = User.objects.all()
    serializer_class = UserListSerializer

class UserDetail(generics.RetrieveAPIView):
        queryset = User.objects.all()
        serializer_class = UserSerializer
        permission_classes = (permissions.IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly,)
# I added IsOwnerOrReadOnly to make it work, but this is the part where it causes error!

serializers.py

class UserSerializer(serializers.ModelSerializer):
        meetings = serializers.PrimaryKeyRelatedField(many=True, queryset=Meeting.objects.all())
        #owner = serializers.ReadOnlyField(source='owner.username')

        class Meta:
                model = User
                fields = ('id', 'username', 'meetings',)

class UserListSerializer(serializers.ModelSerializer):
        #meetings = serializers.PrimaryKeyRelatedField(many=True, queryset=Meeting.objects.all())

        class Meta:
                model = User
                fields = ('username',)

permissions.py

from rest_framework import permissions

class IsOwnerOrReadOnly(permissions.BasePermission):  
        def has_object_permission(self, request, view, obj):

                # Any permissions are only allowed to the owner of the meeting
                return obj.owner == request.user

I overrode IsOwnerOrReadOnly so that only user can view the details of his/her user detail. And add this to permission_class in views.py.

Then I got this error : 

File "/home/tony/env/lib/python3.6/site-packages/rest_framework/views.py" in check_object_permissions
  345.             if not permission.has_object_permission(request, self, obj):

File "/home/tony/swpp_hw1/meetings/permissions.py" in has_object_permission
  15.       return obj.owner == request.user

Exception Type: AttributeError at /users/1/
Exception Value: 'User' object has no attribute 'owner'

I tried to add User class in models.py, but again it causes error... How can solve this issue?

Solution

  • Try to change it as:

    return obj == request.user

    as object is user you are trying to access and request.user is current authenticated user.