diff --git a/djangoldp_notification/models.py b/djangoldp_notification/models.py
index 5a024337fcb2fada26098954772ee4b8d1e699f8..f47ebcb973116ecde3867941827f4f16d69cdba8 100644
--- a/djangoldp_notification/models.py
+++ b/djangoldp_notification/models.py
@@ -16,6 +16,7 @@ from djangoldp.fields import LDPUrlField
from djangoldp.models import Model
from django.template import loader
+from .permissions import InboxPermissions
class Notification(Model):
@@ -30,6 +31,7 @@ class Notification(Model):
class Meta(Model.Meta):
owner_field = 'user'
ordering = ['-date']
+ permission_classes = [InboxPermissions]
anonymous_perms = ['add']
authenticated_perms = ['inherit']
owner_perms = ['view', 'change', 'control']
diff --git a/djangoldp_notification/permissions.py b/djangoldp_notification/permissions.py
new file mode 100644
index 0000000000000000000000000000000000000000..f013752945e551763bd3907e644983c453824f65
--- /dev/null
+++ b/djangoldp_notification/permissions.py
@@ -0,0 +1,38 @@
+from djangoldp.permissions import LDPPermissions
+
+
+class InboxPermissions(LDPPermissions):
+ def has_permission(self, request, view):
+ from djangoldp.models import Model
+
+ if self.is_a_container(request._request.path):
+ try:
+ """
+ If on nested field we use users permissions
+ """
+ obj = Model.resolve_parent(request.path)
+ model = view.parent_model
+
+ """
+ If still on nested field and request is post (/users/X/inbox/) we use notification permissions
+ """
+ if view.parent_model != view.model and request.method == 'POST':
+ obj = None
+ model = view.model
+ except:
+ """
+ Not on nested field we use notification permissions
+ """
+ obj = None
+ model = view.model
+ else:
+ obj = Model.resolve_id(request._request.path)
+ model = view.model
+
+ perms = self.get_permissions(request.method, model)
+
+ for perm in perms:
+ if not perm.split('.')[1].split('_')[0] in self.user_permissions(request.user, model, obj):
+ return False
+
+ return True
\ No newline at end of file