IsAuthenticated
The IsAuthenticated permission class denies unauthenticated users to use the APIs for any operations. This ensures APIs accessibility only to registered users. Let’s use the IsAuthenticated class in our RESTful web service. Here, we can set the permission policy on a per-view basis. Let’s import and add the permission class in our RobotDetail and RobotList class. The code is as follows:
from rest_framework.permissions import IsAuthenticated
Python3
class RobotDetail(generics.RetrieveUpdateDestroyAPIView): permission_classes = [IsAuthenticated] queryset = Robot.objects. all () serializer_class = RobotSerializer name = 'robot-detail' class RobotList(generics.ListCreateAPIView): permission_classes = [IsAuthenticated] queryset = Robot.objects. all () serializer_class = RobotSerializer name = 'robot-list' |
Let’s try to retrieve robots without providing any credentials. The HTTPie command is
http :8000/robot/
Output
Since we haven’t provided any authentication details, the API has rejected the request that retrieves the robot details. Now we will create a new user using Django’s interactive shell and try the HTTPie command with credentials.
Note: You can refer to the article Create a User for Django Using Django’s Interactive Shell.
The HTTPie command is as follows:
http -a “sonu”:”sn@pswrd” :8000/robot/
Output
Let’s try an HTTPie command that creates a new robot entry.
http -a “sonu”:”sn@pswrd” POST :8000/robot/ name=”IRB 1100″ robot_category=”Articulated Robots” currency=”USD” price=25000 manufacturer=”ABB” manufacturing_date=”2020-05-10 00:00:00+00:00″
Output
Adding Permission in API – Django REST Framework
There are many different scenarios to consider when it comes to access control. Allowing unauthorized access to risky operations or restricted areas results in a massive vulnerability. This highlights the importance of adding permissions in APIs.
Django REST framework allows us to leverage permissions to define what can be accessed and what actions can be performed in a meaningful or common way. The permission checks always run at the beginning of every view. It uses the authentication information in the ‘request.user’ and ‘request.auth’ properties for each incoming request. If the permission check fails, then the view code will not run.
Note: Together with authentication, permissions determine whether to grant or deny access for an incoming request. In this section, we will combine Basic Authentication with Django REST framework permission to set access control. You can refer Browsable API in Django REST Framework for Models, Serializers, and Views
Let’s dig deep into the Django REST framework permissions.
- AllowAny
- IsAuthenticated
- IsAdminUser
- IsAuthenticatedOrReadOnly
- DjangoModelPermissions
- DjangoModelPermissionsOrAnonReadOnly
- DjangoObjectPermissions