0

I want to make a Django REST User API with complex permissions as follows:

GET

  • Only Admin should be able to get all User data
  • Logged in User should be to get himself and the names of other Users

PUT

  • Only Admin and Self should be able to PUT
  • Except for is_staff and is_superuser only is_superuser should be able to change the status of a user
  • Password changes by a User should require the old password
  • if User is !is_staff password reset should be possible

POST / DELETE

  • Only Admin should be able POST/DELETE User
  • User should be able to update his own Profile

Unfortunately, I have no idea how to control the view or serializer to allow such permissions. Is there a template how I can exactly control the permissions?

Gurkenkönig
  • 678
  • 15
  • 36

1 Answers1

2

You can write your custom permission according to DRF docs.

And add YourCustomPermission in your view:

class ExampleView(APIView):
    permission_classes = (YourCustomPermission,)
Sergey Pugach
  • 5,561
  • 1
  • 16
  • 31
  • Thanks for your quick answer. With your hint I was able to find https://stackoverflow.com/questions/19313314/django-rest-framework-per-action-permission a very helpful post I could adept to my needs. – Gurkenkönig Dec 13 '18 at 10:56
  • If my post was helpful, could you mark it as a solution. Good luck! – Sergey Pugach Dec 13 '18 at 10:58