CODEWITHSUNDEEP
pythondjangodjango-rest-framework
Prometheus
Prometheus

Reputation: 33625

Django Rest Framework won't let me have more than one permission

I have a problem with the Django Rest Framework and permissions. DRF won't let me have more than one permission on my views for example.

If I login to the API as an admin user I can get access using this mixin:

class PermissionMixin(object):
    permission_classes = (permissions.IsAdminUser)

Now, if I add a second permission mixin:

class PermissionMixin(object):
    permission_classes = (permissions.IsAdminUser, TokenHasReadWriteScope)

Admin users are denied access. What should happen is both admin user and users with a token get access, however with above now only TokenHasReadWriteScope users have access.

Has anyone else had this issue, whats going on here?

I need both type of users to have access.

This is how my view looks:

class SomeList(PermissionMixin, generics.ListCreateAPIView)

    queryset = Award.objects.all()
    serializer_class = AwardSerializer

PS TokenHasReadWriteScope is from django-oauth-toolkit

Upvotes: 16

Views: 8536

Answers (2)

Neman
Neman

Reputation: 1307

With version 3.9 and above of Django Rest Framework, they have built-in support for composable permission classes and you can use and/or-operators out of the box:

permission_classes = [IsAuthenticated & (ReadOnly | IsAdmin)]

Upvotes: 27

AdelaN
AdelaN

Reputation: 3536

The behavior you are experiencing is absolutely normal, that's how DRF was designed. If you want to have at least one of those permission classes, you need to specify a more 'complex' condition. This is a very good example of what you might use. After you install it, you can use it like this:

from rest_condition import Or
...
permission_classes = (Or(permissions.IsAdminUser, TokenHasReadWriteScope),)

Upvotes: 14

Related Questions