Django Rest Framework ListAPIView user permissions - Cant seem to get them working

I have a Django project with DjangoRestFramework. I have a simple view, Facility, which is a ListAPIView. Permissions were generated for add, change, delete and view. I have create a new user, and have assigned him no permissions. Yet he is able to call GET on facility.

class FacilityListView(ListAPIView):
queryset = Facility.objects.all()
serializer_class = FacilitySerializer
permission_classes = [IsAuthenticated, DjangoModelPermissions]

def get(self, request):
    self.check_permissions(request)
    facilities = Facility.objects.all()
    serializer = FacilitySerializer(facilities, many=True)
    return Response(serializer.data)

If I test user permissions, I get an empty list.

perms = list(user.get_all_permissions())

If I check whether the permission exists, I get the Facility model as result

a = Permission.objects.get(codename='view_facility')

However, if I check which permissions are required for Facility, I also get an empty list.

p = perm.get_required_permissions('GET', Facility)

The model is as basic as it can be

from django.db import models

class Facility(models.Model):
    name = models.CharField(max_length=200)
    created_at = models.DateTimeField(auto_now_add=True)

    def __str__(self):
        return self.name

This is what it says in my settings, and I have no custom permissions classes or anything.

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'API.authentication.JWTAuthenticationFromCookie',
    ),
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
        'rest_framework.permissions.DjangoModelPermissions',
    ],
}

Unfortunately, I have not been able to find an answer to my problem. If anyone has any idea, that would be greatly appreciated!

EDIT: Important is dat POST is actually forbidden. GET is not.

Вернуться на верх