Djangoframework~30 mins

DRF permissions in Django - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

DRF Permissions Setup

📖 Scenario: You are building a simple API for a blog. You want to control who can see and edit posts using Django REST Framework permissions.

🎯 Goal: Create a Django REST Framework view that uses permissions to allow only authenticated users to create posts, but anyone can read posts.

📋 What You'll Learn

Create a list of posts as initial data

Add a variable to set the permission class

Use the permission class in a DRF API view

Complete the view with the correct permission setup

💡 Why This Matters

🌍 Real World

APIs often need to control who can read or write data. Using DRF permissions helps secure your API endpoints.

💼 Career

Understanding DRF permissions is essential for backend developers working with Django REST Framework to build secure and user-friendly APIs.

Progress0 / 4 steps

Create initial posts data

Create a list called posts with these exact dictionaries: {'id': 1, 'title': 'First Post'} and {'id': 2, 'title': 'Second Post'}.

Django

# Your code here

Need a hint?

Use a list with two dictionaries exactly as shown.

Set permission classes variable

Create a variable called permission_classes and set it to a list containing IsAuthenticatedOrReadOnly.

Django

posts = [
    {'id': 1, 'title': 'First Post'},
    {'id': 2, 'title': 'Second Post'}
]
# Your code here

Need a hint?

Import IsAuthenticatedOrReadOnly and assign it inside a list to permission_classes.

Create API view with permission

Create a class called PostList that inherits from APIView and set its permission_classes attribute to the variable permission_classes.

Django

from rest_framework.permissions import IsAuthenticatedOrReadOnly
from rest_framework.views import APIView

posts = [
    {'id': 1, 'title': 'First Post'},
    {'id': 2, 'title': 'Second Post'}
]

permission_classes = [IsAuthenticatedOrReadOnly]
# Your code here

Need a hint?

Define PostList with permission_classes attribute and a get method returning posts.

Add POST method with permission check

Inside the PostList class, add a post method that accepts request, appends request.data to posts, and returns the new post with status 201. Use the existing permission_classes to allow only authenticated users to post.

Django

from rest_framework.permissions import IsAuthenticatedOrReadOnly
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework import status

posts = [
    {'id': 1, 'title': 'First Post'},
    {'id': 2, 'title': 'Second Post'}
]

permission_classes = [IsAuthenticatedOrReadOnly]

class PostList(APIView):
    permission_classes = permission_classes

    def get(self, request):
        return Response(posts)

    # Your code here

Need a hint?

Add a post method that appends request.data to posts and returns it with status 201.