I have made a custom user model inside my django backend and I have created a view that register a new user, but I have set the view only for admin users. When I tried to register a new user using a non admin account, it has also worked!! so the view is correct but there is something wrong with the permissions! could someone please tell me what did I do wrong?
this is the models.py that has the custom user model:
from django.contrib.auth.models import AbstractBaseUser, BaseUserManager
from django.db import models
class CustomUserManager(BaseUserManager):
def create_user(self, email, password=None, **extra_fields):
if not email:
raise ValueError('The Email field must be set')
email = self.normalize_email(email)
user = self.model(email=email, **extra_fields)
user.set_password(password)
user.save()
return user
def create_superuser(self, email, password=None, **extra_fields):
extra_fields.setdefault('is_staff', True)
extra_fields.setdefault('is_superuser', True)
extra_fields.setdefault('is_admin', True)
if extra_fields.get('is_staff') is not True:
raise ValueError('Superuser must have is_staff=True.')
if extra_fields.get('is_superuser') is not True:
raise ValueError('Superuser must have is_superuser=True.')
return self.create_user(email, password=password, **extra_fields)
class User(AbstractBaseUser):
email = models.EmailField(unique=True)
first_name = models.CharField(max_length=30)
last_name = models.CharField(max_length=30)
is_admin = models.BooleanField(default=False)
is_active = models.BooleanField(default=True)
is_staff = models.BooleanField(default=True)
is_superuser = models.BooleanField(default=True)
USERNAME_FIELD = 'email'
REQUIRED_FIELDS = ['first_name', 'last_name']
objects = CustomUserManager()
def __str__(self):
return self.first_name
def has_perm(self, perm, obj=None):
return self.is_admin
def has_module_perms(self, app_label):
return True
this is the view.py that has the registration view:
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework import permissions, status
from rest_framework_simplejwt.authentication import JWTAuthentication
from .models import User
class RegisterView (APIView):
permission_classes = [permissions.IsAdminUser]
authentication_classes = [JWTAuthentication]
def post(self, request):
try:
data = request.data
first_name = data['first_name']
last_name = data['last_name']
email = data['email']
password = data['password']
re_password = data['re_password']
is_superuser = False
if password == re_password:
if len(password)>= 8:
if not User.objects.filter(email=email).exists():
user = User.objects.create_user(
first_name = first_name,
last_name = last_name,
email= email,
password=password,
is_superuser=is_superuser,
)
user.save()
if User.objects.filter(email=email).exists():
return Response(
{'success': 'Account created successfully!'},
status=status.HTTP_201_CREATED
)
else:
return Response(
{'error': 'Something went wrong when trying to register account'},
status=status.HTTP_500_INTERNAL_SERVER_ERROR
)
else:
return Response(
{'error': 'Email already exists!'},
status= status.HTTP_400_BAD_REQUEST
)
else:
return Response(
{'error': 'Password must be at least 8 Characters in length'},
status= status.HTTP_400_BAD_REQUEST
)
else:
return Response(
{'error': 'Passwords do not match'},
status= status.HTTP_400_BAD_REQUEST
)
except:
return Response(
{'error': 'Something went wrong when trying to register account'},
status=status.HTTP_500_INTERNAL_SERVER_ERROR
)
and this is the rest framework settings in settings.py:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_simplejwt.authentication.JWTAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated',
'rest_framework.permissions.IsAdminUser',
],
}
