Update instance for author in Django REST
I would like to update a instance of a model only if the request author is same than instance author.
I guess can do it in the update method:
def update(self, request, *args, **kwargs):
if request.user == self.get_object().user
do_things()
How can I do it? Is it obligatory to write an update en every ModelViewSet or ListAPIView? or is there a method to write a custom permission to accomplish this.
django django-rest-framework
asked Nov 14 '18 at 22:38
Giancarlo VenturaGiancarlo Ventura
362216
add a comment |
I would like to update a instance of a model only if the request author is same than instance author.
I guess can do it in the update method:
def update(self, request, *args, **kwargs):
if request.user == self.get_object().user
do_things()
How can I do it? Is it obligatory to write an update en every ModelViewSet or ListAPIView? or is there a method to write a custom permission to accomplish this.
django django-rest-framework
asked Nov 14 '18 at 22:38
Giancarlo VenturaGiancarlo Ventura
362216
add a comment |
I would like to update a instance of a model only if the request author is same than instance author.
I guess can do it in the update method:
def update(self, request, *args, **kwargs):
if request.user == self.get_object().user
do_things()
How can I do it? Is it obligatory to write an update en every ModelViewSet or ListAPIView? or is there a method to write a custom permission to accomplish this.
django django-rest-framework
asked Nov 14 '18 at 22:38
Giancarlo VenturaGiancarlo Ventura
362216
I would like to update a instance of a model only if the request author is same than instance author.
I guess can do it in the update method:
def update(self, request, *args, **kwargs):
if request.user == self.get_object().user
do_things()
How can I do it? Is it obligatory to write an update en every ModelViewSet or ListAPIView? or is there a method to write a custom permission to accomplish this.
django django-rest-framework
django django-rest-framework
asked Nov 14 '18 at 22:38
Giancarlo VenturaGiancarlo Ventura
362216
asked Nov 14 '18 at 22:38
Giancarlo VenturaGiancarlo Ventura
362216
edited Nov 14 '18 at 22:43
Giancarlo Ventura
asked Nov 14 '18 at 22:38
Giancarlo VenturaGiancarlo Ventura
362216
asked Nov 14 '18 at 22:38
Giancarlo VenturaGiancarlo Ventura
362216
asked Nov 14 '18 at 22:38
Giancarlo VenturaGiancarlo Ventura
362216
362216
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You can implement a custom permission. The following example is from the docs, modified to fit your use case:
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `user` attribute.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Instance must have an attribute named `user`.
return obj.user == request.user
answered Nov 15 '18 at 2:27
schillingtschillingt
5,62711822
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53309780%2fupdate-instance-for-author-in-django-rest%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can implement a custom permission. The following example is from the docs, modified to fit your use case:
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `user` attribute.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Instance must have an attribute named `user`.
return obj.user == request.user
answered Nov 15 '18 at 2:27
schillingtschillingt
5,62711822
add a comment |
You can implement a custom permission. The following example is from the docs, modified to fit your use case:
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `user` attribute.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Instance must have an attribute named `user`.
return obj.user == request.user
answered Nov 15 '18 at 2:27
schillingtschillingt
5,62711822
add a comment |
You can implement a custom permission. The following example is from the docs, modified to fit your use case:
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `user` attribute.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Instance must have an attribute named `user`.
return obj.user == request.user
answered Nov 15 '18 at 2:27
schillingtschillingt
5,62711822
You can implement a custom permission. The following example is from the docs, modified to fit your use case:
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `user` attribute.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Instance must have an attribute named `user`.
return obj.user == request.user
answered Nov 15 '18 at 2:27
schillingtschillingt
5,62711822
answered Nov 15 '18 at 2:27
schillingtschillingt
5,62711822
answered Nov 15 '18 at 2:27
schillingtschillingt
5,62711822
answered Nov 15 '18 at 2:27
schillingtschillingt
5,62711822
5,62711822
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53309780%2fupdate-instance-for-author-in-django-rest%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
