rest_framework.permissions

Provides a set of pluggable permission policies.

Module Contents

SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']
class OperationHolderMixin
__and__(self, other)
__or__(self, other)
__rand__(self, other)
__ror__(self, other)
__invert__(self)
class SingleOperandHolder(operator_class, op1_class)

Bases:rest_framework.permissions.OperationHolderMixin

__call__(self, *args, **kwargs)
class OperandHolder(operator_class, op1_class, op2_class)

Bases:rest_framework.permissions.OperationHolderMixin

__call__(self, *args, **kwargs)
class AND(op1, op2)
has_permission(self, request, view)
has_object_permission(self, request, view, obj)
class OR(op1, op2)
has_permission(self, request, view)
has_object_permission(self, request, view, obj)
class NOT(op1)
has_permission(self, request, view)
has_object_permission(self, request, view, obj)
class BasePermissionMetaclass

Bases:rest_framework.permissions.OperationHolderMixin, type

class BasePermission

Bases:object

A base class from which all permission classes should inherit.

has_permission(self, request, view)

Return True if permission is granted, False otherwise.

has_object_permission(self, request, view, obj)

Return True if permission is granted, False otherwise.

class AllowAny

Bases:rest_framework.permissions.BasePermission

Allow any access. This isn’t strictly required, since you could use an empty permission_classes list, but it’s useful because it makes the intention more explicit.

has_permission(self, request, view)
class IsAuthenticated

Bases:rest_framework.permissions.BasePermission

Allows access only to authenticated users.

has_permission(self, request, view)
class IsAdminUser

Bases:rest_framework.permissions.BasePermission

Allows access only to admin users.

has_permission(self, request, view)
class IsAuthenticatedOrReadOnly

Bases:rest_framework.permissions.BasePermission

The request is authenticated as a user, or is a read-only request.

has_permission(self, request, view)
class DjangoModelPermissions

Bases:rest_framework.permissions.BasePermission

The request is authenticated using django.contrib.auth permissions. See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions

It ensures that the user is authenticated, and has the appropriate add/change/delete permissions on the model.

This permission can only be applied against view classes that provide a .queryset attribute.

perms_map
authenticated_users_only = True
get_required_permissions(self, method, model_cls)

Given a model and an HTTP method, return the list of permission codes that the user is required to have.

_queryset(self, view)
has_permission(self, request, view)
class DjangoModelPermissionsOrAnonReadOnly

Bases:rest_framework.permissions.DjangoModelPermissions

Similar to DjangoModelPermissions, except that anonymous users are allowed read-only access.

authenticated_users_only = False
class DjangoObjectPermissions

Bases:rest_framework.permissions.DjangoModelPermissions

The request is authenticated using Django’s object-level permissions. It requires an object-permissions-enabled backend, such as Django Guardian.

It ensures that the user is authenticated, and has the appropriate add/change/delete permissions on the object using .has_perms.

This permission can only be applied against view classes that provide a .queryset attribute.

perms_map
get_required_object_permissions(self, method, model_cls)
has_object_permission(self, request, view, obj)