Last modified: Mar 10, 2025 By Alexander Williams
Using Permissions in Django Rest Framework
Django Rest Framework (DRF) provides a powerful way to manage permissions for your API endpoints. Permissions ensure that only authorized users can access or modify resources. This guide will walk you through the basics of using permissions in DRF.
Table Of Contents
What Are Permissions in DRF?
Permissions in DRF determine whether a user can perform a specific action on an API endpoint. They are used to restrict access to views and data. DRF comes with several built-in permission classes, and you can also create custom ones.
Built-in Permission Classes
DRF includes several built-in permission classes. These include IsAuthenticated, IsAdminUser, and AllowAny. Each class serves a specific purpose and can be easily applied to your views.
IsAuthenticated
The IsAuthenticated permission class ensures that only authenticated users can access the view. Here's an example:
from rest_framework.permissions import IsAuthenticated
from rest_framework.views import APIView
class ExampleView(APIView):
permission_classes = [IsAuthenticated]
def get(self, request):
return Response({"message": "Authenticated user only"})
In this example, only authenticated users can access the ExampleView.
IsAdminUser
The IsAdminUser permission class restricts access to admin users. Here's how you can use it:
from rest_framework.permissions import IsAdminUser
from rest_framework.views import APIView
class AdminView(APIView):
permission_classes = [IsAdminUser]
def get(self, request):
return Response({"message": "Admin user only"})
This view is accessible only to users with admin privileges.
AllowAny
The AllowAny permission class allows any user to access the view. This is the default setting if no permissions are specified.
from rest_framework.permissions import AllowAny
from rest_framework.views import APIView
class PublicView(APIView):
permission_classes = [AllowAny]
def get(self, request):
return Response({"message": "Public access"})
This view is accessible to everyone, regardless of authentication status.
Custom Permissions
Sometimes, the built-in permission classes may not meet your needs. In such cases, you can create custom permissions. Here's an example of a custom permission class:
from rest_framework.permissions import BasePermission
class IsOwner(BasePermission):
def has_object_permission(self, request, view, obj):
return obj.owner == request.user
This custom permission checks if the requesting user is the owner of the object. You can use it in your views like this:
from rest_framework.views import APIView
class OwnerView(APIView):
permission_classes = [IsOwner]
def get(self, request):
return Response({"message": "Owner access only"})
This view is accessible only to the owner of the object.
Combining Permissions
You can combine multiple permission classes to create more complex access rules. For example, you might want to allow access only to authenticated users who are also owners of the object.
from rest_framework.permissions import IsAuthenticated
from rest_framework.views import APIView
class CombinedView(APIView):
permission_classes = [IsAuthenticated, IsOwner]
def get(self, request):
return Response({"message": "Authenticated owner only"})
This view is accessible only to authenticated users who are also owners of the object.
Conclusion
Permissions are a crucial part of securing your API in Django Rest Framework. By using built-in permission classes or creating custom ones, you can control access to your views and data effectively. For more advanced topics, check out our guide on Authentication in Django Rest Framework: Token vs JWT and Django Rest Framework ViewSets and Routers Guide.