Django Viewsets are great for setting up a REST API very quickly with little code. Here's how to set custom permissions for your Django viewset very quickly.
In this case, the 'comments' method within the 'CreationViewSet' requires an 'IsAdminUser' permission, while the rest of the methods within the same ViewSet should remain accessible to all.
How can you achieve this as simply as possible?
Django REST Framework allows customization of permissions per action within a ViewSet by overriding the get_permissions method.
Let's walk through some sample Python code that does this:
# views.py from rest_framework import viewsets, permissions from rest_framework.decorators import action from rest_framework.response import Response from .models import Creation from .serializers import CreationSerializer, CommentSerializer class CreationViewSet(viewsets.ModelViewSet): queryset = Creation.objects.all() serializer_class = CreationSerializer def get_permissions(self): if self.action == 'comments': permission_classes = [permissions.IsAdminUser] else: permission_classes = [permissions.AllowAny] return [permission() for permission in permission_classes] @action(detail=True, methods=['get']) def comments(self, request, pk=None): creation = self.get_object() comments = creation.comments.all() serializer = CommentSerializer(comments, many=True) return Response(serializer.data)
get_permissionsmethod to customize the permission classes based on the action. If the action is 'comments', we restrict the access to admin users only by setting
permission_classes = [permissions.IsAdminUser]. For all other actions, we set
permission_classes = [permissions.AllowAny]to allow any user to access them.
commentsaction, which fetches the comments of a specific 'Creation' object and returns them as a response.
This approach offers a clean and elegant solution to apply different permissions per method in a ViewSet.