Merge pull request #1050 from filipeximenes/master

Improving documentation about object level permissions #1049

Merge pull request #1050 from filipeximenes/master
Improving documentation about object level permissions #1049
d900847d · Tom Christie · 5e40e50f · 1bf71234 · d900847d · d900847d
Commit d900847d authored Aug 21, 2013 by Tom Christie
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 1 deletions

docs/api-guide/generic-views.md
+4 -1

docs/api-guide/permissions.md
+7 -0

No files found.
--- a/docs/api-guide/generic-views.md
+++ b/docs/api-guide/generic-views.md
@@ -113,7 +113,10 @@ For example:
        filter = {}
        for field in self.multiple_lookup_fields:
            filter[field] = self.kwargs[field]
-        return get_object_or_404(queryset, **filter)
+
+        obj = get_object_or_404(queryset, **filter)
+        self.check_object_permissions(self.request, obj)
+        return obj

 #### `get_serializer_class(self)`


--- a/docs/api-guide/permissions.md
+++ b/docs/api-guide/permissions.md
@@ -28,6 +28,13 @@ If you're writing your own views and want to enforce object level permissions,
 you'll need to explicitly call the `.check_object_permissions(request, obj)` method on the view at the point at which you've retrieved the object.
 This will either raise a `PermissionDenied` or `NotAuthenticated` exception, or simply return if the view has the appropriate permissions.

+For example:
+
+    def get_object(self):
+        obj = get_object_or_404(self.get_queryset())
+        self.check_object_permissions(self.request, obj)
+        return obj
+
 ## Setting the permission policy

 The default permission policy may be set globally, using the `DEFAULT_PERMISSION_CLASSES` setting.  For example.