# permissions.py:from rest_framework import permissionsclass IsOwnerOrRead

1. # permissions.py:
2. from rest_framework import permissions
3.  
4. class IsOwnerOrReadOnly(permissions.BasePermission):
5.     def has_object_permission(self, request, view, obj):
6.         if request.method in permissions.SAFE_METHODS:
7.             return True
8.         return obj.owner == request.user
9.  
10.  
11.  
12. # views.py:
13. from django.contrib.auth.models import User
14. from rest_framework import permissions, viewsets
15. from leads.models import Lead
16. from leads.serializers import LeadSerializer, UserSerializer
17. from leads.permissions import IsOwnerOrReadOnly
18.  
19.  
20. class LeadViewSet(viewsets.ModelViewSet):
21.     queryset = Lead.objects.all()
22.     serializer_class = LeadSerializer
23.     permission_classes = (permissions.IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly,)
24.  
25.     def perform_create(self, serializer):
26.         serializer.save(owner=self.request.user)
27.  
28. class UserViewSet(viewsets.ReadOnlyModelViewSet):
29.  
30.     queryset = User.objects.all()
31.     serializer_class = UserSerializer