[Fixed]-Django REST difference between permission classes and authentication classes


I want all my users with a valid token to get access, but only admin users to have permission to view the online API version with sessions, is this possible?

The first thing worth noting is that the browseable API won’t give your users any more permissions than they would having if you only render to JSON. It’s just a much nicer view onto the API endpoints. Personally I would typically want to expose the browseable API to end-developers as it makes developing against the API easier.

If you really do want to hide it from everyone except admin users here are two approaches you could take:

  1. Override the get_renderers() method on the view. (Briefly documented here)
    You can check self.request.user.is_staff, and only include the Browseable API renderer if it’s an admin user.

  2. Subclass the browseable API renderer, and override .render(). (Eg see here) You can get the incoming request using renderer_context['request'], and simply render to standard JSON if it’s not an admin user.


I think it works as described in the docs:

If any permission check fails an exceptions.PermissionDenied exception will be raised, and the main body of the view will not run.

If you set IsAdminUser, the user has to be an admin. Or else he wont have permission, even if all things that are required in DEFAULT_AUTHENTICATION_CLASSES are provided.

Leave a comment