I am writing a custom permission to forbid access to some objects you don't own. This goes hand in hand with filtering out the objects you don't own from the queryset (in the context of tenant aware logic I wrote).
In my tests I check for a 403 since I want to forbid access before even trying to retrieve objects. I am getting a 404 instead (using a ModelViewSet). Inspecting the source code gives me the insight that get_object_or_404 is called before the check_object_permissions. I get the idea that you can't check the permission for an object without getting it first, but in a broader sense, wouldn't somehow a design that checks for permissions first make more sense? (on list actions my has_permission returns False before any objects are accessed). I just believe that it makes more sense to first say: you're not allowed, before even trying to access anything. -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/f1502d30-e442-4832-9453-d35c67b1743dn%40googlegroups.com.
