consumocuidado-server/back_latienda/permissions.py

from rest_framework import permissions


class IsCreator(permissions.BasePermission):
    """
    Grant permission is request.user same as obj.creator
    """

    def has_object_permission(self, request, view, obj):
        if obj is not None:
            # allow is authenticated and method is safe
            if request.method in permissions.SAFE_METHODS:
                return True

            # admins always have permission
            if request.user.is_staff is True:
                return True
            # permission if user is the object's creator
            return obj.creator == request.user
        return False


class ReadOnly(permissions.BasePermission):
    def has_permission(self, request, view):
        return request.method in permissions.SAFE_METHODS