I'm working through the DRF tutorial and everything has been working fine 
up until topic *Object Level Permission. *I have modified my project 
according to the tutorial but I'm still able to delete and edit records 
related to other users.

I created permissions.py file:

from rest_framework import permissions


class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
""" 
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True

# Write permissions are only allowed to the owner of the snippet.
return obj.owner == request.user

and modified SnippetDetail view:


class SnippetDetail(generics.RetrieveUpdateDestroyAPIView):
"""
Retrieve update or delete a code snippet
"""
permissions_classes = (permissions.IsAuthenticatedOrReadOnly, 
IsOwnerOrReadOnly,)
queryset = Snippet.objects.all()
serializer_class = SnippetSerializer

Where am I going wrong?

-- 
You received this message because you are subscribed to the Google Groups 
"Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-rest-framework+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to