I have a custom permissions class that has a has_object_permissions() method that works as desired for detail views like GET /object/<pk>/
I also have a custom get_queryset() method in my viewset class for list views like GET /objects/. The problem is that the detail view calls get_object() which calls get_queryset() so my permissions are kind of getting called twice, once in get_queryset() and once in get_object.permissions. This leads to weird behavior like status code 404 instead of 403, because the restricted object has already been removed from the queryset before the permissions are applied, so 404. How do I avoid calling a custom get_queryset() if I know the view is a detail view, IE the pk is specified in the URL, so I can avoid enforcing permissions from the custom get_queryset in addition to the permissions in get_object_permissions()? -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.