You do not have permission to perform this action when accessing api in django
That's because of your custom permission where you a trying to access an instance (Place with pk = 1) where the owner is not the user you are currently using.
Check the owner of that Place.
And you can just remove the permissions.IsAuthenticated on your view, because you already put it in the default permission class.
Ashok
Full stack Developer || Wish me on April 24 || Friendly || Love to chat-make friends || Travelling-Photographs || Science-space || Quote: "Determination when u have nothing , Attitude when u have everything"
Updated on June 13, 2022Comments
-
Ashok about 2 years
i am trying to add custom permissions in my Django app using Django rest framework. i created an API n tested it in postman it works fine for authenticated user. however it doesnt display details when i visit details view . for example when i visit http://localhost:8000/placeslist/ it displays all the places but when i try http://localhost:8000/placeslist/1/ it says you dont have permission. i dont know where i went wrong
models.py
class Places(BaseModel): name = models.CharField(max_length=255,null=True,default='') owner=models.ForeignKey('auth.User',related_name='place_list',on_delete=models.CASCADE,null=True)Views.py
class PlacesView(generics.ListCreateAPIView): queryset = Places.objects.all() serializer_class = PlacesSerializer permission_classes = (permissions.IsAuthenticated, IsOwner) def perform_create(self,serializer): serializer.save(owner=self.request.user) class PlacesDetailView(generics.RetrieveUpdateDestroyAPIView): queryset = Places.objects.all() serializer_class = PlacesSerializer permission_classes = (permissions.IsAuthenticated, IsOwner)Permission.py
class IsOwner(BasePermission): def has_object_permission(self, request, view, obj): if isinstance(obj, Places): return obj.owner == request.user return obj.owner == request.userSerializer.py
class PlacesSerializer(serializers.ModelSerializer): owner = serializers.ReadOnlyField(source='owner.username') class Meta: model = Places fields =('id','name','owner')urls.py
url(r'^placeslist/$', PlacesView.as_view(), name="place"), url(r'placeslist/(?P<pk>[0-9]+)/$',PlacesDetailView.as_view(), name="place_details"), url(r'^get-token/', obtain_auth_token),Settings.py
.... REST_FRAMEWORK = { 'DEFAULT_PERMISSION_CLASSES': ( 'rest_framework.permissions.IsAuthenticated', ), 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.BasicAuthentication', 'rest_framework.authentication.TokenAuthentication', ) } .... -
Aleem over 3 yearsmake sure your settings DEFAULT_PERMISSION_CLASSES are set properly in settings.py file