fixes bug in APIView with object level permissions

rest_framework/permissions.py

@@ -151,6 +151,9 @@ class DjangoObjectPermissions(DjangoModelPermissions):
     This permission can only be applied against view classes that
     provide a `.queryset` attribute.
     """
+
+    requires_object_permission = True
+
     perms_map = {
         'GET': [],
         'OPTIONS': [],

rest_framework/views.py

@@ -7,6 +7,7 @@ from django.core.exceptions import PermissionDenied
 from django.db import models
 from django.http import Http404
 from django.http.response import HttpResponseBase
+from django.shortcuts import get_object_or_404 as _get_object_or_404
 from django.utils import six
 from django.utils.encoding import smart_text
 from django.utils.translation import ugettext_lazy as _
@@ -382,7 +383,11 @@ class APIView(View):
 
         # Ensure that the incoming request is permitted
         self.perform_authentication(request)
-        self.check_permissions(request)
+        if getattr(self, 'requires_object_permission', None) and 'pk' in kwargs:
+            obj = _get_object_or_404(self.get_queryset(), pk=kwargs['pk'])
+            self.check_object_permissions(request, obj)
+        else:
+            self.check_permissions(request)
         self.check_throttles(request)
 
     def finalize_response(self, request, response, *args, **kwargs):