One to one / One to many nested permission

[jrivera294]

I'm trying to add some permissions to the nested routes, but as I explain in this post on stackoverflow (http://stackoverflow.com/questions/31733891/django-rest-extensions-nested-route-permissions) when I create a nested route, I cant apply a permission that protect the list method for the nested resource, because the list resource use get_permission method in the permission class, and I don't have reference to the objects to validate the object ownership or another more complex permissions.

I hope I'm missing something, because it's a big security issue.

[chibisov]

You can try to extend nested viewsets like it explained here http://chibisov.github.io/drf-extensions/docs/#usage-with-generic-relations

[jrivera294]

I'm extending from NestedViewSetMixin.

[ronsuez]

I'm wondering if there a way to check the ownership permissions of a nested resource taking in account the object owner of that resourse, in order to be able to filter the nested queries by ownership of an specific resource.

E.g: an user must have access only to their profile.

/user/1/profile/ -> returns a list of all profiles that match with a specific user id, I want to disable this option and do a single object return instead.

[auvipy]

/user/1/profile should return only a profile associated with that, what are the outputs? any code?