diff options
| author | Tom Christie | 2013-08-21 11:52:45 -0700 |
|---|---|---|
| committer | Tom Christie | 2013-08-21 11:52:45 -0700 |
| commit | d900847d98e40921cd9bde251e002453d1d922be (patch) | |
| tree | 43a55676e0372ee68aef3dafcf212af6e500cd15 /docs | |
| parent | 5e40e50f2b187fe2ff2e8ee63b4e39ece42f1521 (diff) | |
| parent | 1bf712341508b5d9aa07fb62f55b7e495278fabf (diff) | |
| download | django-rest-framework-d900847d98e40921cd9bde251e002453d1d922be.tar.bz2 | |
Merge pull request #1050 from filipeximenes/master
Improving documentation about object level permissions #1049
Diffstat (limited to 'docs')
| -rwxr-xr-x | docs/api-guide/generic-views.md | 5 | ||||
| -rw-r--r-- | docs/api-guide/permissions.md | 7 |
2 files changed, 11 insertions, 1 deletions
diff --git a/docs/api-guide/generic-views.md b/docs/api-guide/generic-views.md index 7f754df8..281a0481 100755 --- a/docs/api-guide/generic-views.md +++ b/docs/api-guide/generic-views.md @@ -113,7 +113,10 @@ For example: filter = {} for field in self.multiple_lookup_fields: filter[field] = self.kwargs[field] - return get_object_or_404(queryset, **filter) + + obj = get_object_or_404(queryset, **filter) + self.check_object_permissions(self.request, obj) + return obj #### `get_serializer_class(self)` diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index a3d86ed4..6b80a98c 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -28,6 +28,13 @@ If you're writing your own views and want to enforce object level permissions, you'll need to explicitly call the `.check_object_permissions(request, obj)` method on the view at the point at which you've retrieved the object. This will either raise a `PermissionDenied` or `NotAuthenticated` exception, or simply return if the view has the appropriate permissions. +For example: + + def get_object(self): + obj = get_object_or_404(self.get_queryset()) + self.check_object_permissions(self.request, obj) + return obj + ## Setting the permission policy The default permission policy may be set globally, using the `DEFAULT_PERMISSION_CLASSES` setting. For example. |