Le 20 janv. 2016 à 13:02, Raúl Pedro Santos <bor...@gmail.com> a écrit :Hi Xavier,That sounds like it could work. I would have to do it for every one of the models I'm exposing through the API, though, and there are a lot of them, which would make this quite a cumbersome task.
I would also prefer not to override the entire method, since I still want to rely on DRF's code and future changes (my overridden method may become incompatible with DRF for some reason).
I was hoping for something like a property I could set on my ModelViewSet, something like "list_view_filter_backends" and those would only be applied to the list view but I don't think such a thing exists at all.Another option would be for me to remove the filter_backends property from my ViewSet class and then override the list() method, but that brings me back to my first two points against overriding get_object().Of course ultimately I could not use ViewSets and do things manually but I would obviously also prefer not to do that, since I'm rather fond of how much work DRF saves me with the ViewSets.Not sure what to do here...Raúl
On Wednesday, 20 January 2016 06:46:01 UTC, Xavier Ordoquy wrote:Hi
> Le 20 janv. 2016 à 00:24, Raúl Pedro Santos <bor...@gmail.com> a écrit :
>
> Hi everyone,
>
> Is there a way, when using a ModelViewSet, to filter only the list results but not the detail results?
>
> I have a list of objects that have an owner and I only want users to see the ones they own when they access the objects list. For that purpose I implemented a new permission class based on rest_framework.permissions.BasePermission, which works fine with the list.
>
> The problem arises when I try to access an object that doesn't belong to my user: I get a "404 not found" instead of a "403 forbidden".
>
> In other words, filtering seems to be applied not only to the list but also to the detail view. Is there a way to change this, so that I get the expected 403 when accessing an object which I'm not authorized to see?
You could override the get_object and remove the call to filter_queryset (https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/generics.py#L84).
Regards,
Xavier,
Linovia.
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.