encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-07-28 00:49:49 +03:00
Code Issues Packages Projects Releases Wiki Activity

Document the limitation that object level permissions do not apply to object creation. See for example #6409.

Browse Source
This commit is contained in:
Henryk Plötz 2020-07-31 09:29:08 +02:00
parent 559088463b
commit 658236d694
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/api-guide/permissions.md
View File

@ -70,6 +70,8 @@ For performance reasons the generic views will not automatically apply object le
Often when you're using object level permissions you'll also want to [filter the queryset][filtering] appropriately, to ensure that users only have visibility onto instances that they are permitted to view. Often when you're using object level permissions you'll also want to [filter the queryset][filtering] appropriately, to ensure that users only have visibility onto instances that they are permitted to view.
Because the `get_object()` method is not called, object level permissions from the `has_object_permission()` method **are not applied** when creating objects. In order to restrict object creation you need to implement the permission check either in your Serializer class or override the `perform_create()` method of your ViewSet class.
## Setting the permission policy ## Setting the permission policy
The default permission policy may be set globally, using the `DEFAULT_PERMISSION_CLASSES` setting. For example. The default permission policy may be set globally, using the `DEFAULT_PERMISSION_CLASSES` setting. For example.