8π
I want all my users with a valid token to get access, but only admin users to have permission to view the online API version with sessions, is this possible?
The first thing worth noting is that the browseable API wonβt give your users any more permissions than they would having if you only render to JSON. Itβs just a much nicer view onto the API endpoints. Personally I would typically want to expose the browseable API to end-developers as it makes developing against the API easier.
If you really do want to hide it from everyone except admin users here are two approaches you could take:
-
Override the
get_renderers()method on the view. (Briefly documented here)
You can checkself.request.user.is_staff, and only include the Browseable API renderer if itβs an admin user. -
Subclass the browseable API renderer, and override
.render(). (Eg see here) You can get the incoming request usingrenderer_context['request'], and simply render to standard JSON if itβs not an admin user.
1π
I think it works as described in the docs:
If any permission check fails an exceptions.PermissionDenied exception will be raised, and the main body of the view will not run.
If you set IsAdminUser, the user has to be an admin. Or else he wont have permission, even if all things that are required in DEFAULT_AUTHENTICATION_CLASSES are provided.