IsAuthenticatedOrReadOnly
The IsAuthenticatedOrReadOnly permission class allows unauthorized users to perform safe methods, whereas authenticated users can perform any operations. This class is useful when we need to set read permissions for anonymous users and read/write permissions for authenticated users. Let’s import the permission class
from rest_framework.permissions import IsAuthenticatedOrReadOnly
Now, you can replace the RobotDetail and RobotList class with the below code.
Python3
class RobotList(generics.ListCreateAPIView): permission_classes = [IsAuthenticatedOrReadOnly] queryset = Robot.objects.all() serializer_class = RobotSerializer name = 'robot-list' class RobotDetail(generics.RetrieveUpdateDestroyAPIView): permission_classes = [IsAuthenticatedOrReadOnly] queryset = Robot.objects.all() serializer_class = RobotSerializer name = 'robot-detail' |
Let’s try to retrieve robot details without providing any credentials. The HTTPie command is as follows:
http :8000/robot/
Output
Now let’s try to create a new robot without providing credentials. The HTTPie command is as follows:
http POST :8000/robot/ name=”IRB 120″ robot_category=”Articulated Robots” currency=”USD” price=35000 manufacturer=”ABB” manufacturing_date=”2020-08-10 00:00:00+00:00″
Output
The IsAuthenticatedOrReadOnly permission class permits only safe operations for unauthenticated users. Let’s create a new robot by providing user credentials.
http -a “sonu”:”sn@pswrd” POST :8000/robot/ name=”IRB 120″ robot_category=”Articulated Robots” currency=”USD” price=35000 manufacturer=”ABB” manufacturing_date=”2020-08-10 00:00:00+00:00″
Output
Adding Permission in API – Django REST Framework
There are many different scenarios to consider when it comes to access control. Allowing unauthorized access to risky operations or restricted areas results in a massive vulnerability. This highlights the importance of adding permissions in APIs.
Django REST framework allows us to leverage permissions to define what can be accessed and what actions can be performed in a meaningful or common way. The permission checks always run at the beginning of every view. It uses the authentication information in the ‘request.user’ and ‘request.auth’ properties for each incoming request. If the permission check fails, then the view code will not run.
Note: Together with authentication, permissions determine whether to grant or deny access for an incoming request. In this section, we will combine Basic Authentication with Django REST framework permission to set access control. You can refer Browsable API in Django REST Framework for Models, Serializers, and Views
Let’s dig deep into the Django REST framework permissions.
- AllowAny
- IsAuthenticated
- IsAdminUser
- IsAuthenticatedOrReadOnly
- DjangoModelPermissions
- DjangoModelPermissionsOrAnonReadOnly
- DjangoObjectPermissions