You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The problem with the above is has_permission() always runs. If I keep it, users will not be able to see their own info. If I remove it, they will be able to see a list of all employees.
The has_object_permissions() method was added in DRF 2.2 to eliminate the need to check for an obj argument.
I propose allowing the implementation of a has_list_permission() method which only runs when requesting a list of all objects. This would allow more flexible permissions systems without having to define custom behavior in the View or ViewSet.
I tried filtering in the get_queryset() method, but when requesting another Employee as a non-admin I would get the status HTTP_404_NOT_FOUND, which is not the proper status for a forbidden request.
The text was updated successfully, but these errors were encountered:
Real use case: An HR app.
I want only admin users to be able to see a list of all employees, and employees to only be able to see their own employee object.
Here is my current code:
The problem with the above is
has_permission()
always runs. If I keep it, users will not be able to see their own info. If I remove it, they will be able to see a list of all employees.The
has_object_permissions()
method was added in DRF 2.2 to eliminate the need to check for anobj
argument.I propose allowing the implementation of a
has_list_permission()
method which only runs when requesting a list of all objects. This would allow more flexible permissions systems without having to define custom behavior in theView
orViewSet
.I tried filtering in the
get_queryset()
method, but when requesting anotherEmployee
as a non-admin I would get the status HTTP_404_NOT_FOUND, which is not the proper status for a forbidden request.The text was updated successfully, but these errors were encountered: