This is my global configuration of Default permission classes which has been configured to use IsAuthenticated permission.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': ['rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.TokenAuthentication', ],
'DEFAULT_PERMISSION_CLASSES': ['rest_framework.permissions.IsAuthenticated', ],
}
I wanted my API to be accessed by authenticated users hence, I configured the IsAuthenticated permission globally at settings. I have created another IsAuthorOrReadOnly custom permission which only allows the author of the Post to update, delete else only readable. This is my ViewSet.
class PostViewSet(viewsets.ModelViewSet):
queryset = Post.objects.all()
serializer_class = PostSerializer
permission_classes = [IsAuthorOrReadOnly]
Yet the PostViewSet API is accessible to anonymous/ every user. The globally Isauthenticated permission does not act. When I add the IsAuthenticated on the PostViewSet's permission_classes it works.
Shouldn't the globally configured permission take effect at the project regardless of the custom permission implemented? Why does the globally configured permission does not work with the custom permission in the ViewSets?
The DRF documentation say:
Note: when you set new permission classes through class attribute or decorators you're telling the view to ignore the default list set over the settings.py file.
So in your case, the IsAuthorOrReadOnly, override the one defined in the settings.
the link: https://www.django-rest-framework.org/api-guide/permissions/