Challenge - 5 Problems

🎖️

Object-level Permissions Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

1:30remaining

Understanding Object-level Permissions in Django

Which statement best describes object-level permissions in Django?

APermissions that apply to specific instances of a model, controlling access to individual objects.

BPermissions that apply only to the entire Django project settings.

CPermissions that control access to Django admin interface only.

DPermissions that are automatically granted to all users without restrictions.

Attempts:

2 left

❓ component_behavior

intermediate

1:30remaining

Behavior of Object-level Permissions with Django REST Framework

Given a Django REST Framework viewset using object-level permissions, what happens when a user tries to access an object they do not have permission for?

AThe API returns a 404 Not Found response, hiding the object existence.

BThe API returns the object data but with limited fields.

CThe API returns a 403 Forbidden response, denying access to that object.

DThe API returns a 500 Internal Server Error due to permission failure.

Attempts:

2 left

📝 Syntax

advanced

2:00remaining

Correct Usage of Object-level Permission Class in Django REST Framework

Which of the following code snippets correctly implements an object-level permission class in Django REST Framework?

Django

from rest_framework.permissions import BasePermission

class IsOwner(BasePermission):
    def has_object_permission(self, request, view, obj):
        # Check if the user is the owner of the object
        return obj.owner == request.user

class IsOwner(BasePermission):
    def has_permission(self, request, view):
        return obj.owner == request.user

class IsOwner(BasePermission):
    def has_object_permission(self, request, view, obj):
        return obj.owner == request.user

class IsOwner(BasePermission):
    def has_object_permission(self, request, view, obj):
        return request.user.is_authenticated

class IsOwner(BasePermission):
    def has_permission(self, request, view, obj):
        return obj.owner == request.user

Attempts:

2 left

🔧 Debug

advanced

2:00remaining

Debugging Object-level Permission Denial in Django

A developer notices that users are always granted access to objects even when they should not have permission. The permission class is:

class IsOwner(BasePermission):
    def has_object_permission(self, request, view, obj):
        return obj.owner == request.user

What is the most likely cause of this issue?

AThe permission class should inherit from <code>permissions.IsAuthenticated</code> instead.

BThe <code>has_permission</code> method is missing, causing all checks to fail.

CThe <code>obj.owner</code> attribute does not exist on the model.

DThe viewset does not call <code>check_object_permissions</code> before accessing the object.

Attempts:

2 left

❓ state_output

expert

2:30remaining

Output of Custom Object-level Permission Logic in Django

Consider this Django REST Framework permission class:

class CustomPermission(BasePermission):
    def has_object_permission(self, request, view, obj):
        match request.method:
            case 'GET' | 'HEAD' | 'OPTIONS':
                return True
            case 'POST' | 'PUT' | 'PATCH' | 'DELETE':
                return obj.owner == request.user
            case _:
                return False

If a user sends a PATCH request to update an object they do not own, what will be the permission check result?

AFalse, the user is denied permission because they are not the owner.

BTrue, because PATCH requests are always allowed.

CFalse, because the method falls into the default case returning False.

DTrue, because GET, HEAD, and OPTIONS are allowed for all users.

Attempts:

2 left