1

I want to arrange permission like that each user can edit his own profile. Just super user can edit all profile. What I need to add permissions.py ? Thank you.

views.py

class UserViewSet(mixins.ListModelMixin,
              mixins.RetrieveModelMixin,
              mixins.UpdateModelMixin,
              mixins.DestroyModelMixin,
              generics.GenericAPIView):

queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = [IsAuthenticated]
authentication_classes = (JSONWebTokenAuthentication, )

permissions.py

class IsOwnerOrReadOnly(BasePermission):

message = '!!'
my_safe_method = ['GET', 'PUT']

def has_permission(self, request, view):
    if request.method in self.my_safe_method:
        return True
    return False

def has_object_permission(self, request, view, obj):
    # member .0 Membership.objects.get(user=request.user)
    # member.is_active
    if request.method in SAFE_METHODS:
        return True
    return obj.user == request.user
Improve this question

1 Answer 1

Reset to default
2

Write your own permission

class IsObjectOwner(BasePermission):
        message = "You must be the owner of this object."
        my_safe_methods = ['GET', 'PUT', 'PATCH', 'DELETE']

    def has_permission(self, request, view):
        if request.method in self.my_safe_methods:
            return True
        return False

    def has_object_permission(self, request, view, obj):
        if request.user.is_superuser:
            return obj
        else:
            return obj == request.user

and then in the view add it in permission_classes

class UserDetailView(RetrieveUpdateDestroyAPIView):
    permission_classes = [IsObjectOwner, permissions.IsAuthenticated]
Improve this answer
1
  • I use User = get_user_model() in views.py. So return obj.user_id == request.user in this line has an error like that 'User' object has no attribute 'user_id'. How can I edit it? Thank you.
    – knkzlgc
    Commented Aug 10, 2016 at 13:37

Not the answer you're looking for? Browse other questions tagged or ask your own question.