Composite permissions DRF

I have a view class inherited from RetrieveUpdateDestroyAPIView. I need to have different permission classes for different method so I am over writing get_permissions method but I'm getting error

TypeError: unsupported operand type(s) for |: 'IsSuperAdmin' and 'IsOwner.

views.py

    class UserView(RetrieveUpdateDestroyAPIView):
        queryset = User.objects.all()
        serializer_class = UserSerializer
        http_method_names = ['patch', 'get', 'delete']

        def get_permissions(self):
            if self.request.method == 'GET':
            return [IsAuthenticated(), IsSuperAdmin()|IsOwner()|IsAdmin(), ]
            elif self.request.method == 'DELETE':
                return [IsAuthenticated(), IsSuperAdmin()|IsAdmin()]
            else:
            return [IsAuthenticated(), IsSuperAdmin()|IsAdmin()|IsOwner(), ]

permissions.py

    class IsSuperAdmin(BasePermission):
        message = "You must be super admin to perform requested operation"

        def has_permission(self, request, view):
            if  request.user.role == "super_admin":
                return True
            return False


    class IsAdmin(BasePermission):
        message = "You must be admin to perform requested operation"

        def has_permission(self, request, view):
            if  request.user.role == "admin":
                return True
            return False



    class IsOwner(BasePermission):
        message = "You must be owner of resource to perform requested operaton"

        def has_object_permission(self, request, view, obj):
            if obj.id == request.user.id:
                return True
            return False

You don't need to instanciate permissions classes, so the code

return [IsAuthenticated(), IsSuperAdmin()|IsOwner()|IsAdmin(), ]

Should be like

return [IsAuthenticated, IsSuperAdmin |IsOwner | IsAdmin ]

Cf the rest framework doc: https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy

Back to Top