The rest_framework.permissions.BasePermission class is the base class from which all customized permission classes should inherit to work with the Django REST framework. We want to make sure that only a drone owner can update or delete an existing drone.

Go to the restful01/drones folder and create a new file named custompermission.py. Write the following code in this new file. The following lines show the code for this file that declares the new IsCurrentUserOwnerOrReadOnly class declared as a subclass of the BasePermission class. The code file for the sample is included in the hillar_django_restful_08_01 folder in the restful01/drones/custompermission.py file:

from rest_framework import permissions 
 
 
class IsCurrentUserOwnerOrReadOnly(permissions.BasePermission): 
    def has_object_permission(self, request, view, obj): 
        if request.method in permissions.SAFE_METHODS: 
            # The method is a safe method 
            return True 
        else: 
            # The method isn't a safe method 
            # Only owners are granted permissions for unsafe methods 
            return obj.owner == request.user 

The previous lines declare the IsCurrentUserOwnerOrReadOnly class and override the has_object_permission method defined in the BasePermission superclass that returns a bool value indicating whether the permission should be granted or not.

The permissions.SAFE_METHODS tuple of string includes the three HTTP methods or verbs that are considered safe because they are read-only and they don't produce changes to the related resource or resource collection: 'GET', 'HEAD', and 'OPTIONS'. The code in the has_object_permission method checks whether the HTTP verb specified in the request.method attribute is any of the three safe methods specified in permission.SAFE_METHODS. If this expression evaluates to True, the has_object_permission method returns True and grants permission to the request.

If the HTTP verb specified in the request.method attribute is not any of the three safe methods, the code returns True and grants permission only when the owner attribute of the received obj object (obj.owner) matches the user that originated the request (request.user). The user that originated the request will always be the authenticated user. This way, only the owner of the related resource will be granted permission for those requests that include HTTP verbs that aren't safe.

We will use the new IsCurrentUserOwnerOrReadOnly customized permission class to make sure that only the drone owners can make changes to an existing drone. We will combine this permission class with the rest_framework.permissions.IsAuthenticatedOrReadOnly one that only allows read-only access to resources when the request doesn't belong to an authenticated user. This way, whenever an anonymous user performs a request, he will only have read-only access to the resources.