reading notes for code fellows
Permissions will be important in any real life project so that not-just-anyone can come in and mess with your database
Permissions determine whether a request should be granted or denied access. Permission checks run before any other code and will typically use the request.user and request.auth properties to make it’s determination. The simplest style of permission is to allow any authenticated user access to anything and deny access to all unauthenticated users. The REST framework has a built-in IsAuthenticated class to facilitate this. Permissions themselves are defined as a list of classes. If a permissions check fails, an exception will be raised and return either a 403 or 401 response. REST framework also allows Object-level permissions, which determine whether a user should be able to interact with specific objects based on their permissions. You can set the default permissions in the DEFAULT_PERMISSION_CLASSES setting. By default, this is set to all users, but you can change it to IsAuthenticated. You also can set it on a per-view basis using the APIView class-based views.
AllowAny will allow unrestricted accessIsAuthenticated will deny any unauthenticated usedIsAdminUser will deny permission unless user.is_staff is TrueIsAuthenticatedOrReadOnly will allow authenticated users to perform any request and unauthenticated users to only perform ‘safe’ requests.DjangoModelPermissions will only grant access if the user has relevent model permissionsDjangoObjectPermissions will only grant access if the user has relevent model and object permissionsYou could also create custom permissions by overriding BasePermission.
creating custom permissions
I would assume this will be slightly similar to how we used OAuth, but a more built in version, which should be interesting.