Django REST framework object level permissions

Question

I am using Django REST Framework to access a resource \'user\'.

As user information is personal, I do not want a GET request to list every user on the system, UNLESS the

Answer 1

For the stumble-upons, the documentation under limitations of object level permission says:

For performance reasons the generic views will not automatically apply object level permissions to each instance in a queryset when returning a list of objects.

So, details view will work but for the list, you'll need to filter against the current user.