We have following two permission methods on BasePermission class:

• def has_permission(self, request, view)
• def has_object_permission(self, request, view, obj)

Those two different methods are called for restricting unauthorized users for data insertion and manipulation.

has_permission is called on all HTTP requests whereas, has_object_permission is called from DRF's method def get_object(self). Hence, has_object_permission method is available for GET, PUT, DELETE, not for POST request.

In summary:

permission_classes are looped over the defined list.

has_object_permission method is called after has_permission method returns value True except in POST method (in POST method only has_permission is executed).

When a False value is returned from the permission_classes method, the request gets no permission and will not loop more, otherwise, it checks all permissions on looping.

has_permission method will be called on all (GET, POST, PUT, DELETE) HTTP request.

has_object_permission method will not be called on HTTP POST request, hence we need to restrict it from has_permission method.