Validate user on update request in Django REST framework

Question

I want to have an API where a user can update his own listings. Currently any authenticated user can update any listing which I found using Postman. I want to validate the user so that the API returns an error as a response if the user is not trying to update his own listing. Here is my code:

# serializers.py

class ListingSerializer(serializers.ModelSerializer):
class Meta:
    model = Listing
    fields = '__all__'

# api.py

class ListingViewSet(ModelViewSet):
    permission_classes = [IsAuthenticatedOrReadOnly]
    serializer_class = ListingSerializer

    def get_queryset(self):
        return Listing.objects.all()

    def perform_create(self, serializer):
        serializer.save(owner=self.request.user)

# urls.py

router = routers.DefaultRouter()

router.register('api/listings', ListingViewSet, 'listings')

urlpatterns = router.urls

Answer 1

You just need to overwrite the perform_update function:

def perform_update(self, serializer):
    obj = self.get_object()
    if self.request.user != obj.created_by:  # Or how ever you validate
        raise PermissionDenied('User is not allowed to modify listing')

    serializer.save()

You will need:

from django.core.exceptions import PermissionDenied

Answer 2

You can limit the object for all method change the main queryset. In this case if an inapropiate user try to access an invalid object the api return 404.

 def get_queryset(self):
    return Listing.objects.filter(owner=self.request.user)