drf-access-policy icon indicating copy to clipboard operation
drf-access-policy copied to clipboard

Published 20 hours ago verified publisher icon rsinger86

Per object checks on List/Create methods fail with 'pk' required

Open nhi-vanye opened this issue 4 months ago • 0 comments

I have a policy that controls who can create of list objects

{
            "action": ["<method:get>"],
            "principal": "*",
            "effect": "allow",
            "condition_expression": ["(user_is_assessor or user_is_target or user_is_requestor or user_is_hr)"]
}

Where user_is_assessor is

    def user_is_assessor(self, request, view, action) -> bool:
        obj = view.get_object()
        return obj.assessor.user.username == request.user.username

(The goal being to check the "owner" of the object (assessor) is listing/creating child objects.

view.get_object() is throwing an error that I haven't supplied a pk

(AssertionError: Expected view AssessmentListView to be called with a URL keyword argument named "pk". Fix your URL conf, or set the .lookup_field attribute on the view correctly.)

Which is correct as this is a list view not a detail view.

(I'm using generics hence the use of `method:get' rather that 'list')

nhi-vanye avatar Oct 06 '24 20:10 nhi-vanye