7👍
✅
The method check_object_permissions is not called when a Comment is created.
Here is the full create code of the CreateAPIView:
class CreateModelMixin(object):
"""
Create a model instance.
"""
def create(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
self.perform_create(serializer)
headers = self.get_success_headers(serializer.data)
return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
def perform_create(self, serializer):
serializer.save()
def get_success_headers(self, data):
try:
return {'Location': data[api_settings.URL_FIELD_NAME]}
except (TypeError, KeyError):
return {}
The check_object_permissions is only called in get_object which itself is only called when you try to retrieve an object vie the API.
In order to have a permission check in CommentCreate you should override the perform_create method in there and do the check:
class CommentCreate(generics.CreateAPIView):
serializer_class = CommentSerializer
queryset = Comment.objects.none()
def perform_create(self, serializer):
# untested if...
if serializer.validated_data['report'].creator != self.request.user:
raise exceptions.PermissionDenied(
detail='You do not have permission')
serializer.save()
Source:stackexchange.com