WEBVTT Kind: captions Language: en 00:00:00.030 --> 00:00:06.600 Previously we tested our feed API in the browser everything seemed to work okay 00:00:06.600 --> 00:00:11.900 except for we were able to attempt to create new feed objects when we weren't 00:00:11.900 --> 00:00:18.119 authenticated in this video we're going to fix this issue by creating a custom 00:00:18.119 --> 00:00:22.140 permission class and using an existing permission class that comes with the 00:00:22.140 --> 00:00:29.220 Django rest framework so let's get started open up the atom editor and the 00:00:29.220 --> 00:00:34.469 first change we're going to make is in our permissions dot py file we're going to 00:00:34.469 --> 00:00:39.120 add a new permissions class that's very similar to the update own profile class 00:00:39.120 --> 00:00:45.239 but it's for updating the users own status so this permission class is going to 00:00:45.239 --> 00:00:50.670 ensure that if a user is updating a status that it is a status that is assigned 00:00:50.670 --> 00:00:57.270 to their user account this way users can only update their own feed items in the 00:00:57.270 --> 00:00:59.900 database 00:00:59.900 --> 00:01:06.990 so let's create a new class called class update own status and we're 00:01:06.990 --> 00:01:14.340 going to base our class from permissions dot base permission then in the doc 00:01:14.340 --> 00:01:21.540 string we're going to write allow users to update their own status 00:01:21.540 --> 00:01:22.350 alright so 00:01:22.350 --> 00:01:27.600 just like with the update own profile we need to add a has object permission 00:01:27.600 --> 00:01:33.119 function to our permission class so let's type def has underscore object 00:01:33.119 --> 00:01:36.600 underscore permission 00:01:36.600 --> 00:01:41.549 then the arguments that we need to add are self request view 00:01:41.549 --> 00:01:45.600 and obj 00:01:45.600 --> 00:01:51.200 then we'll add the doc string here check the user is trying to update 00:01:51.200 --> 00:01:54.280 their own status 00:01:54.280 --> 00:01:57.320 now because this permission class is only to ensure 00:01:57.329 --> 00:02:01.649 that users can update their own status we're going to allow all these methods 00:02:01.649 --> 00:02:06.149 that are in the safe methods through so that is if they're trying to retrieve or 00:02:06.149 --> 00:02:09.090 create a new item we're going to return true 00:02:09.090 --> 00:02:18.670 so if request dot method in permissions dot safe methods return 00:02:18.670 --> 00:02:20.900 true 00:02:20.900 --> 00:02:26.260 now we need to check that if the user is trying to update a status that 00:02:26.260 --> 00:02:29.110 means they're not in the safe method so they're trying to perform a put or a 00:02:29.110 --> 00:02:34.300 patch or a delete we want to make sure that the user owns that status or that 00:02:34.300 --> 00:02:39.040 the user profile associated with the status is assigned to the user making 00:02:39.040 --> 00:02:46.120 the request the way we do that is we type return obj dot user underscore 00:02:46.120 --> 00:02:54.540 profile dot ID equal equals request dot user dot ID 00:02:54.540 --> 00:02:56.890 so if the object that is being 00:02:56.890 --> 00:03:04.450 modified has a user profile dot ID the same as the request dot user ID then 00:03:04.450 --> 00:03:10.570 this will return true and it will allow the permission through otherwise it will 00:03:10.570 --> 00:03:14.100 return false and it will block the request being made 00:03:14.100 --> 00:03:19.780 okay so let's save the permissions dot py file now we need to configure our 00:03:19.780 --> 00:03:22.780 view set to use this permission 00:03:22.780 --> 00:03:25.660 so open up views dot py and we're going 00:03:25.660 --> 00:03:28.840 to configure it to use our permission but we're also going to add a new 00:03:28.840 --> 00:03:33.730 permission that comes with the Django rest framework so let's scroll right to 00:03:33.730 --> 00:03:42.480 the top and let's type from rest underscore framework dot permissions 00:03:42.480 --> 00:03:50.280 import is authenticated or read-only 00:03:50.280 --> 00:03:53.050 as the name suggests this makes sure that a 00:03:53.050 --> 00:04:00.430 view set is read-only if the user is not authenticated so let's go down to our 00:04:00.430 --> 00:04:06.340 user profile feed view set and let's add a new class variable to our view set 00:04:06.340 --> 00:04:13.180 called permission underscore classes equals and we're going to open up the 00:04:13.180 --> 00:04:17.770 tuple here and I'm going to break it onto multiple lines because the input that we 00:04:17.770 --> 00:04:23.860 need to add is quite long and I don't want to exceed the 79 character limit so 00:04:23.860 --> 00:04:28.630 let's add our first permission which is the permission we created in 00:04:28.630 --> 00:04:34.270 permissions dot py that is the update own status permission so let's type 00:04:34.270 --> 00:04:44.170 permissions dot update own status comma and then below this we're going to also add 00:04:44.170 --> 00:04:49.960 the is authenticated or read-only permission from the Django rest 00:04:49.960 --> 00:04:57.100 framework so type is authenticated or read-only 00:04:57.100 --> 00:04:59.260 so this will make sure that a 00:04:59.260 --> 00:05:04.000 user must be authenticated to perform any request that is not a read request 00:05:04.000 --> 00:05:08.980 so that will get rid of the issue of users trying to create a new feed item 00:05:08.980 --> 00:05:12.060 when they're not authenticated 00:05:12.060 --> 00:05:14.500 on top of that we'll also ensure that users can 00:05:14.500 --> 00:05:20.410 only update statuses where the user profile is assigned to their user which 00:05:20.410 --> 00:05:26.280 will stop users being able to update the statuses of other users in the system 00:05:26.280 --> 00:05:32.080 okay so let's save that file and that's how we configure the permissions on our 00:05:32.080 --> 00:05:36.930 user profile feed view set