[Fixed]-Django rest framework group based permissions for individual views


The problem is where you are adding multiple permission_classes to your views. The method where your permissions are checked is check_permissions(). If you look at the DRF code,

def check_permissions(self, request):
    Check if the request should be permitted.
    Raises an appropriate exception if the request is not permitted.
    for permission in self.get_permissions():
        if not permission.has_permission(request, self):
                request, message=getattr(permission, 'message', None)

When you are providing multiple permission_classes, the user must satisfy both the permissions. So, the logged in user must be a Staff and Customer at same time. I think this is why your view fails.

Leave a comment