0
0
DjangoHow-ToBeginner · 4 min read

How to Use Permissions in Django REST Framework (DRF)

In Django REST Framework, use the permission_classes attribute in your views or viewsets to specify permission rules like IsAuthenticated or AllowAny. You can also create custom permission classes by subclassing BasePermission and overriding the has_permission method.
📐

Syntax

Permissions in DRF are set using the permission_classes attribute on views or viewsets. You assign a list of permission classes that control who can access the API endpoint.

Each permission class must inherit from rest_framework.permissions.BasePermission and implement the has_permission(self, request, view) method, which returns True if access is allowed.

python
from rest_framework.permissions import BasePermission, IsAuthenticated

class CustomPermission(BasePermission):
    def has_permission(self, request, view):
        # Return True if permission is granted
        return True

from rest_framework.views import APIView
from rest_framework.response import Response

class MyView(APIView):
    permission_classes = [IsAuthenticated, CustomPermission]

    def get(self, request):
        return Response({'message': 'Hello, authenticated user!'})
💻

Example

This example shows a simple API view that only allows authenticated users to access it using the built-in IsAuthenticated permission.

python
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework.permissions import IsAuthenticated

class HelloView(APIView):
    permission_classes = [IsAuthenticated]

    def get(self, request):
        return Response({'message': f'Hello, {request.user.username}!'})
Output
{"message": "Hello, alice!"} # when user 'alice' is authenticated
⚠️

Common Pitfalls

  • Forgetting to set permission_classes on your view or viewset, which defaults to AllowAny and allows open access.
  • Not importing permission classes correctly or misspelling them.
  • Creating custom permissions but not returning True or False properly in has_permission.
  • Using permission_classes as a tuple instead of a list can cause unexpected behavior.
python
from rest_framework.permissions import AllowAny
from rest_framework.views import APIView

# Wrong: permission_classes as a tuple (may cause issues)
class WrongView(APIView):
    permission_classes = (AllowAny,)

# Right: permission_classes as a list
class RightView(APIView):
    permission_classes = [AllowAny]
📊

Quick Reference

Permission ClassDescription
AllowAnyAllows unrestricted access to any user.
IsAuthenticatedAllows access only to authenticated users.
IsAdminUserAllows access only to admin users.
IsAuthenticatedOrReadOnlyAllows read-only access to unauthenticated users, full access to authenticated users.

Key Takeaways

Set permissions in DRF using the permission_classes attribute on views or viewsets.
Use built-in permission classes like IsAuthenticated to restrict access easily.
Create custom permissions by subclassing BasePermission and overriding has_permission.
Always return True or False explicitly in custom permission methods.
Remember permission_classes must be a list, not a tuple, to avoid issues.

Related by keyword

How to Use Groups and Permissions in Django for Access ControlAuthenticationHow to Use django-allauth for Authentication in DjangoAuthenticationDjango vs Express: Key Differences and When to Use EachGetting StartedDjango vs FastAPI: Key Differences and When to Use EachGetting StartedDjango vs Flask: Key Differences and When to Use EachGetting Started

Up next

How to Use Session in Django: Simple Guide with ExamplesHow to Use Social Login in Django with AllauthAdd Custom Header in Django Middleware: Simple GuideHow to Create Custom Middleware in Django: Simple Guide

More in Django REST Framework

APIView vs ViewSet in DRF: Key Differences and UsageFunction Based vs Class Based Views in Django REST FrameworkHow to Create API View in DRF in Django: Simple GuideHow to Create Serializer in DRF in Django: Simple Guide