Django REST Framework - Separate permissions per methods

José L. Patiño picture José L. Patiño · Nov 4, 2013 · Viewed 26.1k times · Source

I am writing an API using Django REST Framework and I am wondering if can specify permissions per method when using class based views.

Reading the documentation I see that is quite easy to do if you are writing function based views, just using the @permission_classes decorator over the function of the views you want to protect with permissions. However, I don't see a way to do the same when using CBVs with the APIView class, because then I specify the permissions for the full class with the permission_classes attribute, but that will be applied then to all class methods (get, post, put...).

So, is it possible to have the API views written with CBVs and also specify different permissions for each method of a view class?

Answer

Kevin Stone picture Kevin Stone · Nov 5, 2013

Permissions are applied to the entire View class, but you can take into account aspects of the request (like the method such as GET or POST) in your authorization decision.

See the built-in IsAuthenticatedOrReadOnly as an example:

SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']

class IsAuthenticatedOrReadOnly(BasePermission):
    """
    The request is authenticated as a user, or is a read-only request.
    """

    def has_permission(self, request, view):
        if (request.method in SAFE_METHODS or
            request.user and
            request.user.is_authenticated()):
            return True
        return False