Challenge - 5 Problems

🎖️

Custom Permissions Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ component_behavior

intermediate

2:00remaining

What is the output of this custom permission check?

Consider this Django REST Framework custom permission class. What will be the result of has_permission when the user is authenticated but not staff?

Django

from rest_framework.permissions import BasePermission

class IsStaffUser(BasePermission):
    def has_permission(self, request, view):
        return request.user and request.user.is_staff

# Assume request.user.is_authenticated == True and request.user.is_staff == False
class DummyUser:
    is_authenticated = True
    is_staff = False

class DummyRequest:
    user = DummyUser()

permission = IsStaffUser()
result = permission.has_permission(DummyRequest(), None)

ANone

BTrue

CRaises AttributeError

DFalse

Attempts:

2 left

📝 Syntax

intermediate

2:00remaining

Which option correctly defines a custom permission class allowing only GET requests?

You want to create a custom permission class in Django REST Framework that allows access only if the HTTP method is GET. Which code snippet is syntactically correct and works as intended?

class AllowGetOnly(BasePermission):
    def has_permission(self, request, view):
        return request.method == 'GET'

class AllowGetOnly(BasePermission):
    def has_permission(self, request, view):
        if request.method = 'GET':
            return True
        return False

class AllowGetOnly(BasePermission):
    def has_permission(self, request, view):
        if request.method == 'GET':
            return True
        else:
            return False

class AllowGetOnly(BasePermission):
    def has_permission(self, request, view):
        return request.method is 'GET'

Attempts:

2 left

🔧 Debug

advanced

2:00remaining

Why does this custom permission always deny access?

This custom permission class is intended to allow access only to users with username 'admin'. Why does it always deny access?

Django

from rest_framework.permissions import BasePermission

class IsAdminUser(BasePermission):
    def has_permission(self, request, view):
        if request.user.username == 'admin':
            return True
        else:
            return False

# But in testing, even user 'admin' is denied.

AThe method should be named has_object_permission instead

Brequest.user is AnonymousUser without username attribute

CThe permission class is missing the 'SAFE_METHODS' check

DThe user model does not have a username field

Attempts:

2 left

❓ state_output

advanced

2:00remaining

What is the value of allowed after running this permission check?

Given this custom permission and a request with method POST and user.is_authenticated True, what is the value of allowed?

Django

from rest_framework.permissions import BasePermission

class IsAuthenticatedAndPost(BasePermission):
    def has_permission(self, request, view):
        return request.user.is_authenticated and request.method == 'POST'

class DummyUser:
    is_authenticated = True

class DummyRequest:
    user = DummyUser()
    method = 'POST'

permission = IsAuthenticatedAndPost()
allowed = permission.has_permission(DummyRequest(), None)

AFalse

BRaises AttributeError

CTrue

DNone

Attempts:

2 left

🧠 Conceptual

expert

2:00remaining

Which option best describes the purpose of custom permissions in Django REST Framework?

Select the option that most accurately explains why and when you would create custom permission classes in Django REST Framework.

ATo define specific rules controlling access to views beyond built-in permissions, such as user roles or request methods

BTo replace authentication mechanisms like token or session authentication

CTo handle database migrations and schema changes

DTo automatically generate API documentation for endpoints

Attempts:

2 left