View specified permission isn't replaced by default permission class

Question

When I set default permission settings to

"DEFAULT_PERMISSION_CLASSES": [
        "rest_framework.permissions.AllowAny",
    ],

and then define different permission for views like

@requires_csrf_token
@permission_classes([IsAuthenticated])
@api_view(["POST"])
def logout(request):
    pass

I expected the view permission to be set as IsAuthenticated. But it behaves as AllowAny.

I'm using django rest simple JWT as authentication class.
The problem is that only the last decorator is applied, and others above, not working. Although I've not found solution for this problem yet.

score 1 · Accepted Answer · answered Dec 01 '22 at 22:15

As mentioned in the documentation, your @permission_classes decorator

must come after (below) the @api_view decorator

So I would rather try:

@requires_csrf_token
@api_view(["POST"])
@permission_classes([IsAuthenticated])
def logout(request):
    pass

1 Answers1