object level permissions, basic auth flow achvd

2022-01-08 05:29:03 +05:30 · 2022-01-08 05:29:03 +05:30 · eb24f56b7c
commit eb24f56b7c
parent 17f5199fa1
2 changed files with 17 additions and 1 deletions
--- a/website/snippets/permissions.py
+++ b/website/snippets/permissions.py
@ -0,0 +1,15 @@
+from rest_framework import permissions
+
+class IsOwnerOrReadOnly(permissions.BasePermission):
+    """
+    Custom permission to only allow owners of an object to edit it.
+    """
+
+    def has_object_permission(self, request, view, obj):
+        # Read permissions are allowed to any request,
+        # so we'll always allow GET, HEAD or OPTIONS requests.
+        if request.method in permissions.SAFE_METHODS:
+            return True
+
+        # Write permissions are only allowed to the owner of the snippet.
+        return obj.owner == request.user
--- a/website/snippets/views.py
+++ b/website/snippets/views.py
@ -2,6 +2,7 @@ from django.contrib.auth.models import User

 from .models import Snippet
 from .serializers import SnippetSerializer, UserSerializer
+from .permissions import IsOwnerOrReadOnly
 from rest_framework import generics, permissions

 class SnippetList(generics.ListCreateAPIView):
@ -16,7 +17,7 @@ class SnippetList(generics.ListCreateAPIView):
 class SnippetDetail(generics.RetrieveUpdateDestroyAPIView):
    queryset = Snippet.objects.all()
    serializer_class = SnippetSerializer
-    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
+    permission_classes = [permissions.IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly]

 class UserList(generics.ListAPIView):
    queryset = User.objects.all()