Restrict object permissions to owners

server/server/api/permissions.py

@@ -0,0 +1,3 @@
+from rest_framework import permissions
+
+# Add permissions here.

server/server/api/views.py

@@ -4,21 +4,33 @@ from rest_framework import permissions
 from server.api import serializers, models
 
 class UserViewSet(viewsets.ModelViewSet):
-    queryset = User.objects.all().order_by('-date_joined')
+    queryset = User.objects.all()
     serializer_class = serializers.UserSerializer
     permission_classes = [permissions.IsAuthenticated]
 
+    def get_queryset(self):
+        return [self.request.user]
+
 class AccountViewSet(viewsets.ModelViewSet):
     queryset = models.Account.objects.all()
     serializer_class = serializers.AccountSerializer
     permission_classes = [permissions.IsAuthenticated]
 
+    def get_queryset(self):
+        return self.queryset.filter(users=self.request.user)
+
 class StackViewSet(viewsets.ModelViewSet):
     queryset = models.Stack.objects.all()
     serializer_class = serializers.StackSerializer
     permission_classes = [permissions.IsAuthenticated]
 
+    def get_queryset(self):
+        return self.queryset.filter(account__users=self.request.user)
+
 class TransactionViewSet(viewsets.ModelViewSet):
     queryset = models.Transaction.objects.all()
     serializer_class = serializers.TransactionSerializer
     permission_classes = [permissions.IsAuthenticated]
+
+    def get_queryset(self):
+        return self.queryset.filter(stack__account__users=self.request.user)