From 52a68cca92c7e67d895386f64389886ad52f2f84 Mon Sep 17 00:00:00 2001
From: Sylvain Le Bon <sylvain@startinblox.com>
Date: Wed, 11 Oct 2023 14:00:16 +0200
Subject: [PATCH] feature: allow reverse m2m and foreignkey in owner_field

---
 djangoldp/permissions.py | 6 +++++-
 docs/create_model.md     | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/djangoldp/permissions.py b/djangoldp/permissions.py
index e29c0a3e..5401b542 100644
--- a/djangoldp/permissions.py
+++ b/djangoldp/permissions.py
@@ -149,7 +149,11 @@ class OwnerPermissions(LDPBasePermission):
         if request.user.is_superuser:
             return True
         if getattr(view.model._meta, 'owner_field', None):
-            return request.user == getattr(obj, view.model._meta.owner_field)
+            field = view.model._meta.get_field(view.model._meta.owner_field)
+            if field.many_to_many or field.one_to_many:
+                return request.user in getattr(obj, field.get_accessor_name()).all()
+            else:
+                return request.user == getattr(obj, view.model._meta.owner_field)
         if getattr(view.model._meta, 'owner_urlid_field', None) is not None:
             return request.user.urlid == getattr(obj, view.model._meta.owner_urlid_field)
         return True
diff --git a/docs/create_model.md b/docs/create_model.md
index 9db8ef7d..9086ad15 100644
--- a/docs/create_model.md
+++ b/docs/create_model.md
@@ -328,7 +328,7 @@ DjangoLDP comes with a set of permission classes that you can use for standard b
  * AnonymousReadOnly: Refuse access to anonymous users with any write request
  * LDDPermissions: Give access based on the permissions in the database. For container requests (list and create), based on model level permissions. For all others, based on object level permissions. This permission class is associated with a filter that only renders objects on which the user has access.
  * PublicPermission: Give access based on a public flag on the object. This class must be used in conjonction with the Meta option `public_field`. This permission class is associated with a filter that only render objects that have the public flag set.
- * OwnerPermissions: Give access based on the owner of the object. This class must be used in conjonction with the Meta option `owner_field` or `owner_urlid_field`. This permission class is associated with a filter that only render objects of which the user is owner.
+ * OwnerPermissions: Give access based on the owner of the object. This class must be used in conjonction with the Meta option `owner_field` or `owner_urlid_field`. This permission class is associated with a filter that only render objects of which the user is owner. When using a reverse ForeignKey or M2M field with no related_name specified, do not add the '_set' suffix in the `owner_field`.
  * InheritPermissions: Give access based on the permissions on a related model. This class must be used in conjonction with the Meta option `inherit_permission`, which value must be a list of names of the `ForeignKey` or `OneToOneField` pointing to the objects bearing the permission classes. It also applies filter based on the related model. If several fields are given, at least one must give permission for the permission to be granted.
 
  Permission classes can be chained together in a list, or through the | and & operators. Chaining in a list is equivalent to using the & operator.
-- 
GitLab