I want to restrict update of a record to the record owner in an UpdateAPIView with Django REST, but I don't know how to code the method.
For example, something like this:
from rest_framework import generics
from testapp.serializers import UserProfileSerializer
from rest_framework.renderers import JSONRenderer
from rest_framework.response import Response
from rest_framework.views import APIView
from rest_framework import permissions
from oauth2_provider.ext.rest_framework import TokenHasReadWriteScope
class UserProfileView(generics.UpdateAPIView):
permission_classes = [permissions.IsAuthenticated, TokenHasReadWriteScope]
serializer_class = UserProfileSerializer
queryset = UserProfile.objects.all()
# patch method?
# if UserProfile user != self.request.user:
# raise exceptions.PermissionDenied
# else:
# continue as normal
Where "user" is a field on the UserProfile model.