10👍
✅
The problem is where you are adding multiple permission_classes to your views. The method where your permissions are checked is check_permissions(). If you look at the DRF code,
def check_permissions(self, request):
"""
Check if the request should be permitted.
Raises an appropriate exception if the request is not permitted.
"""
for permission in self.get_permissions():
if not permission.has_permission(request, self):
self.permission_denied(
request, message=getattr(permission, 'message', None)
)
When you are providing multiple permission_classes, the user must satisfy both the permissions. So, the logged in user must be a Staff and Customer at same time. I think this is why your view fails.
Source:stackexchange.com