AllowAny
The AllowAny permission class will allow unrestricted access, irrespective of whether the request was authenticated or unauthenticated. Here the permission settings default to unrestricted access
'DEFAULT_PERMISSION_CLASSES': [ 'rest_framework.permissions.AllowAny', ]
You don’t need to set this permission, but it is advised to mention it to make the intention explicit. Apart from mentioning it globally, you can set the permission policy on a per-view basis. If you are using the APIView class-based views, the code is as follows
Python3
from rest_framework.permissions import AllowAny from rest_framework.response import Response from rest_framework.views import APIView class ClassBasedView(APIView): permission_classes = [AllowAny] def get( self , request, format = None ): content = { 'status' : 'request was permitted' } return Response(content) |
While using the @api_view decorator with function-based views, the code as follows
Python3
from rest_framework.decorators import api_view, permission_classes from rest_framework.permissions import AllowAny from rest_framework.response import Response @api_view ([ 'GET' ]) @permission_classes ([AllowAny]) def function_view(request, format = None ): content = { 'status' : 'request was permitted' } return Response(content) |
Adding Permission in API – Django REST Framework
There are many different scenarios to consider when it comes to access control. Allowing unauthorized access to risky operations or restricted areas results in a massive vulnerability. This highlights the importance of adding permissions in APIs.
Django REST framework allows us to leverage permissions to define what can be accessed and what actions can be performed in a meaningful or common way. The permission checks always run at the beginning of every view. It uses the authentication information in the ‘request.user’ and ‘request.auth’ properties for each incoming request. If the permission check fails, then the view code will not run.
Note: Together with authentication, permissions determine whether to grant or deny access for an incoming request. In this section, we will combine Basic Authentication with Django REST framework permission to set access control. You can refer Browsable API in Django REST Framework for Models, Serializers, and Views
Let’s dig deep into the Django REST framework permissions.
- AllowAny
- IsAuthenticated
- IsAdminUser
- IsAuthenticatedOrReadOnly
- DjangoModelPermissions
- DjangoModelPermissionsOrAnonReadOnly
- DjangoObjectPermissions