Consider the following scenario;
I have a bunch of Users and API classes. I need to restrict access to each API by checking the requested user's group permissions and allow the user to do group permitted stuff.
Suppose I have a user user_xx, he belongs to group group_xx and has permissions activity | activity | Can add activity. When user_xx tries to access MyActivityAPI through HTTP-DELETE method the view class should restrict the access.
Can do I achieve this feature? If possible, How?
What I'd tried
Created some groups & assigned permissions to them and added users to their corresponding groups. I tried to access one of the restricted api, but it allows me to access (expected behaviour : restrict the user from the api).
UPDATE :
here is my simple views.py
class MyApi(ModelViewSet):
permission_classes = (IsAuthenticated,)
queryset = MyModel.objects.all()
serializer_class = MyModelSerializer
As described in the docs, in order for the Django model permissions to be applied to the viewset you have to use DjangoModelPermissions:
class MyApi(ModelViewSet):
permission_classes = (DjangoModelPermissions,)
queryset = MyModel.objects.all()
serializer_class = MyModelSerializer
In your previous code all actions were allowed to any authenticated user because you were using permission_classes = (IsAuthenticated,).