What’s the differences between has_object_permission and has_permission?

by

We have following two permission methods on BasePermission class:

  • def has_permission(self, request, view)
  • def has_object_permission(self, request, view, obj)

Those two different methods are called for restricting unauthorized users for data insertion and manipulation.

has_permission is called on all HTTP requests whereas, has_object_permission is called from DRF’s method def get_object(self). Hence, has_object_permission method is available for GET, PUT, DELETE, not for POST request.

In summary:

  • permission_classes are looped over the defined list.
  • has_object_permission method is called after has_permission method returns value True except in POST method (in POST method only has_permission is executed).
  • When a False value is returned from the permission_classes method, the request gets no permission and will not loop more, otherwise, it checks all permissions on looping.
  • has_permission method will be called on all (GET, POST, PUT, DELETE) HTTP request.
  • has_object_permission method will not be called on HTTP POST request, hence we need to restrict it from has_permission method.

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)