Permissions
credit link: https://www.django-rest-framework.org/api-guide/permissions/
-
Throttling is similar to permissions, in that it determines if a request should be authorized. Throttles indicate a temporary state, and are used to control the rate of requests that clients can make to an API.
-
Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with.
-
Permission checks are always run at the very start of the view, before any other code is allowed to proceed. Permission checks will typically use the authentication information
-
Permission in REST Framework ary defined as a list of permission class.
-
REST Framework support object-level permission, it used to determine if a user should be allowed to act on a particular object. normally a model instance.
API reference
AllowAny: unrestricted accessIsAuthenticated: to authorized,registered user.IsAdminUser: for admin user, user.is_stuff is tree.IsAuthenticatedOrReadOnly: unauthorized user to only perform safe methods.DjangoModelPermissions: Authorization will only be granted if the user is authenticated and has the relevant model permissions assigned.DjangoObjectPermissions: allows per-object permissions on models.Custom permissions: implement a custom permission, override BasePermission and implement either, or both.- .has_permission(self, request, view)
- .has_object_permission(self, request, view, obj)
REST framework access restriction methods
queryset permission_classes serializer_class
Action: list global global object-level*
Action: create no global object-level
Action: retrieve global object-level object-level
Action: update global object-level object-level
Action: partial_update global object-level object-level
Action: destroy global object-level no
Can reference action in decision no** yes no**
Can reference request in decision no** yes yes