permissions - See only owner's data in ListAPIView -

i have view deriving listapiview, following permissions:

permission_classes = (permissions.isauthenticated, isownerorsuperuser, )

isownerorsuperuse defined such:

class isownerorsuperuser(permissions.basepermission):  def has_object_permission(self, request, view, obj):     return obj.user == request.user or request.user.is_superuser 

(which similar tutorial)

now, when normal user queries view, can see everyone's objects. isn't permission applied every single object in list? how can enforce type of behaviour minimal overhead?

thanks

no, has_object_permission not applied list , create endpoints, retrieve, update , delete there single instance. filter lists, should use get_queryset filter objects.

class bloglist(generics.listapiview):     serializer_class = blogserializer     permission_classes = (isownerorsuperuser,)      def get_queryset(self):         user = self.request.user         return blog.objects.filter(user=user) 

to apply further permissions, need implement .has_permission(self, request, view)....