implement the object permission directly

customers/tests/test_customer_detail_view.py

@@ -34,10 +34,9 @@ def test_customer_detail_view(create_admin_user):
 
 def test_customer_detail_view_no_permissions():
     User = get_user_model()
-    User.objects.create_user("pharma-admin", "admin@pharma.com",
-                             "password", is_staff=True)
+    User.objects.create_user("pharma-admin", "admin@pharma.com", "password")
     client = Client()
     customer = mixer.blend('customers.Customer')
     client.login(username="pharma-admin", password="password")
     response = client.get('/customer/' + str(customer.id) + '/')
-    assert response.status_code == 302 and 'login' in response.url
+    assert response.status_code == 404

customers/views.py

@@ -1,5 +1,6 @@
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.mixins import LoginRequiredMixin
+from django.http.response import Http404
 from django.http.response import HttpResponse
 from django.shortcuts import get_object_or_404
 from django.shortcuts import render
@@ -44,12 +45,17 @@ def htmx_create_customer(request):
 
 
 @login_required
-@permission_required('customers.view_customer', (Customer, 'id', 'pk'))
 def customer_detail_view(request, pk):
-    context = {'customer': get_object_or_404(Customer, pk=pk)}
-    return TemplateResponse(request,
-                            "customers/customer_details.html",
-                            context)
+    customer = get_object_or_404(Customer, pk=pk)
+    permission = request.user.has_perm('customers.view_customer',
+                                       customer)
+    if permission:
+        context = {'customer': customer}
+        return TemplateResponse(request,
+                                "customers/customer_details.html",
+                                context)
+    else:
+        raise Http404()
 
 
 class CustomerCreateView(LoginRequiredMixin, CreateView):