I have a view with a custom action which should have a custom permission "IsRightUser". However, the has_object_permission of it is never called, even though I try to access the object with self.get_object() in my view.
class MyView(mixins.ListModelMixin, viewsets.GenericViewSet):
serializer_class = MySerializer
lookup_field = 'uuid'
queryset = MyObject.objects.all()
@action(methods=['get'], detail=True)
@permission_classes([IsRightUser])
def groups(self, request, uuid=None):
# prints [<class 'rest_framework.permissions.IsAuthenticated'>]
print(self.permission_classes)
my_object = self.get_object()
groups = Group.objects.filter(my_object=my_object)
serializer = MySerializer(groups, many=True)
return Response(serializer.data)
Here you can see my custom permission which is never called.
class IsRightUser(BasePermission):
def has_object_permission(self, request, view, obj):
# never called
return True
When I use permission_classes = [IsRightUser] in my view (i.e. directly underneath the lookup_field) it works (unfortunately this is not feasible for me).
Any help is very much appreciated.
You should pass permission classes as action argument directly:
@action(methods=['get'], detail=True, permission_classes=[IsRightUser])
def groups(self, request, uuid=None):
# prints [<class 'rest_framework.permissions.IsAuthenticated'>]
print(self.permission_classes)
my_object = self.get_object()
groups = Group.objects.filter(my_object=my_object)
serializer = MySerializer(groups, many=True)
return Response(serializer.data)