Django (DRF): How can I apply authentication on this class-based view?
In my Django project I have two User Groups:
- Manager
- Employee
Now I'm trying to build a class-based view that returns all managers. However, it's only supposed to be accessible to managers. If an employee or an anonymous user attempts to access it, it's supposed to return a 403-HTTP-Status code. I've built the class-based view so far and for simplicity it extends generics.ListAPIView. But I can't find a way to apply the desired authentication.
I have removed the "Can view group" and "Can view user" permissions from the Employee group, so no employee can view the managers. I've tried several permission_classes, but everytime I sent a GET-request containing an employee's token via Insomnia, it returned the managers instead of a 403-Status code. Help is greatly appreciated.
Here's the code of the view:
class ViewManager(generics.ListAPIView):
permission_classes = [DjangoModelPermissions]
group = Group.objects.get(name='Manager')
users = group.user_set.all()
queryset = users
serializer_class = ManagerSerializer