Make Django REST endpoints inaccessible if no permission exists

Question

currently I am creating a webbackend with Django, where the administration is done with KeyCloak.

With KeyCloak I can assign users with certain role (e.g. customers, subscription customers).

The customer and subscription customer have different permissions. (E.g. like in the film industry, where only the subscription customers can watch all movies and the normal customer can not) There's an endpoint to every movie.

How can I make this endpoint inaccessible with missing permissions?

score 0 · Answer 1 · answered Dec 19 '19 at 12:07

You have to create a user_type field in your User Model

 ACCESS_CHOICES = (
        ('subscriber', 'subscriber'),
        ('non-subscribe', 'non-subscribe')
    )

user_type = models.CharField(choices=ACCESS_CHOICES, max_length=15)

create a custom permission class and put that into your view

class MoviesAccessPermssion(permissions.BasePermission):
    def has_permission(self, request, view):
        return True or False #on base of request.user.user_type

Make Django REST endpoints inaccessible if no permission exists

1 Answers1