Django DRF login only superuser
I want to implement login with Django drf. I want only superuser (is_staff permission in my user model) to be able to log in. Until now I used rest_framework_simplejwt for generating a token for every user that trying to log in.
How can I implement that only superuser will be able to log in?
Views.py: calling the serializer
class MyTokenObtainPairView(TokenObtainPairView):
serializer_class = MyTokenObtainPairSerializer
Serializer.py:
class MyTokenObtainPairSerializer(TokenObtainPairSerializer):
@classmethod
def get_token(cls, user):
user = CustomUser.objects.get(email=user.email)
print(colored(user, "yellow"))
token = super().get_token(user)
# Add custom claims
token['username'] = user.clinic_name
token['email'] = user.email
# ...
return token
In serializer.py when I'm trying to retrieve user user = CustomUser.objects.get(email=user.email)
I get only the email filed back.
I'm using email to retrieve user because email is a unique field.
urls.py:
urlpatterns = [
path('token/', views.MyTokenObtainPairView.as_view(), name='token_obtain_pair'),
path('token/refresh/', TokenRefreshView.as_view(), name='token_refresh'),
path('register/', views.ClinicRegistration, name='auth_register'),
path('users/', views.ClinicListView.as_view(), name='users_list'),
path('users/<pk>/', views.ClinicDetailView.as_view(), name='get_user'),
path('users/<pk>/update/', views.ClinicUpdate, name='update_user'),
path('users/<pk>/delete/', views.ClinicDeleteView.as_view(), name='delete_user'),
path('', views.getRoutes),
path('test/', views.testEndPoint, name='test')
]
In the frontend I'm using react I make an Axios.post request with the: username, password, and email fields.
This is my CustomUserModel:
class CustomUser(AbstractBaseUser, PermissionsMixin):
username = None
email = models.EmailField(_('email address'), unique=True)
clinic_name = models.CharField(max_length=150, blank=True)
is_staff = models.BooleanField(default=False)
is_active = models.BooleanField(default=True)
date_joined = models.DateTimeField(default=timezone.now)
fb_projectId = models.CharField(max_length=150, blank=True)
fb_databaseURL = models.CharField(max_length=150, blank=True)
fb_storageBucket = models.CharField(max_length=150, blank=True)
fb_locationId = models.CharField(max_length=150, blank=True)
accounts = models.BooleanField(default=True)
dashboard = models.BooleanField(default=True)
measurements = models.BooleanField(default=False)
medications = models.BooleanField(default=False)
questionnaire = models.BooleanField(default=False)
chat = models.BooleanField(default=False)
objects = CustomUserManager()
USERNAME_FIELD = 'email'
REQUIRED_FIELDS = ['clinic_name']
def __str__(self):
return self.email
The react API call:
const loginUser = async (username, password) => {
return appAxios
.post(`token/`, {
username,
password,
email: username,
})
.then((res) => {
setAuthTokens(res.data);
setUser(jwt_decode(res.data.access));
setApiErrors("");
localStorage.setItem("authTokens", JSON.stringify(res.data));
history.push("/");
})
.catch((err) => {
setApiErrors(err.response.data.detail);
history.push("/login");
});
};
Why you don't use default documentation? https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#adding-required-permissions-to-views
in your case:
class MyOnlyForAdminView(drf.generics.APIView):
... # any view staff before
permission_classes = [drf.permissions.IsAdminUser]
... # any view staff after