You do not have permission to perform this action when accessing api in django

Ashok picture Ashok · Jul 20, 2018 · Viewed 8.4k times · Source

i am trying to add custom permissions in my Django app using Django rest framework. i created an API n tested it in postman it works fine for authenticated user. however it doesnt display details when i visit details view . for example when i visit http://localhost:8000/placeslist/ it displays all the places but when i try http://localhost:8000/placeslist/1/ it says you dont have permission. i dont know where i went wrong

models.py

class Places(BaseModel):
  name = models.CharField(max_length=255,null=True,default='')
  owner=models.ForeignKey('auth.User',related_name='place_list',on_delete=models.CASCADE,null=True)    

Views.py

class PlacesView(generics.ListCreateAPIView):
    queryset = Places.objects.all()
    serializer_class = PlacesSerializer
    permission_classes = (permissions.IsAuthenticated, IsOwner)

    def perform_create(self,serializer):
      serializer.save(owner=self.request.user)


class PlacesDetailView(generics.RetrieveUpdateDestroyAPIView):
    queryset = Places.objects.all()
    serializer_class = PlacesSerializer
    permission_classes = (permissions.IsAuthenticated, IsOwner)

Permission.py

class IsOwner(BasePermission):
  def has_object_permission(self, request, view, obj):
    if isinstance(obj, Places):
        return obj.owner == request.user       
    return obj.owner == request.user    

Serializer.py

class PlacesSerializer(serializers.ModelSerializer):
  owner = serializers.ReadOnlyField(source='owner.username')
  class Meta:
    model = Places
    fields =('id','name','owner')

urls.py

url(r'^placeslist/$', PlacesView.as_view(), name="place"),
url(r'placeslist/(?P<pk>[0-9]+)/$',PlacesDetailView.as_view(), 
name="place_details"),
url(r'^get-token/', obtain_auth_token),

Settings.py

....

REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
    'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
    'rest_framework.authentication.BasicAuthentication',
    'rest_framework.authentication.TokenAuthentication',
)
}

....

Answer

reon picture reon · Jul 20, 2018

That's because of your custom permission where you a trying to access an instance (Place with pk = 1) where the owner is not the user you are currently using.

Check the owner of that Place.

And you can just remove the permissions.IsAuthenticated on your view, because you already put it in the default permission class.