Different included_resources per permissions

[SafaAlfulaij]

Ref #864
How can one restrict included resources by permissions? For example only staff users can include flags on comments on posts. Otherwise return 403?

[sliverc]

You can write a custom permission class and check whether the include parameter is set and if yes whether the user has the rights to include flags or not.

I would be very careful with this though because with the relationship on comments a user already gets an id and type of a flag which exposes information you might not want. Another option would be to have different resources for readers of the api and for staff.

Does this make it clearer?

[SafaAlfulaij]

I think the permission class can do this job (writing a general one, then sub classing it for different includes/permission code names.
And about the relationship, I can easily pop unauthorized fields/links from the serializer, and put the same permission class on the relationship view.