I'm working through the DRF tutorial and everything has been working fine up until topic *Object Level Permission. *I have modified my project according to the tutorial but I'm still able to delete and edit records related to other users.
I created permissions.py file: from rest_framework import permissions class IsOwnerOrReadOnly(permissions.BasePermission): """ Custom permission to only allow owners of an object to edit it. """ def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request, # so we'll always allow GET, HEAD or OPTIONS requests. if request.method in permissions.SAFE_METHODS: return True # Write permissions are only allowed to the owner of the snippet. return obj.owner == request.user and modified SnippetDetail view: class SnippetDetail(generics.RetrieveUpdateDestroyAPIView): """ Retrieve update or delete a code snippet """ permissions_classes = (permissions.IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly,) queryset = Snippet.objects.all() serializer_class = SnippetSerializer Where am I going wrong? -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
