django-rest-framework/api-guide/permissions.html

<!DOCTYPE html>
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta charset="utf-8">
    <title>Django REST framework</title>
    <link href="http://tomchristie.github.com/django-rest-framework/img/favicon.ico" rel="icon" type="image/x-icon">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="">

    <!-- Le styles -->
    <link href="http://tomchristie.github.com/django-rest-framework/css/prettify.css" rel="stylesheet">
    <link href="http://tomchristie.github.com/django-rest-framework/css/bootstrap.css" rel="stylesheet">
    <link href="http://tomchristie.github.com/django-rest-framework/css/bootstrap-responsive.css" rel="stylesheet">
    <link href="http://tomchristie.github.com/django-rest-framework/css/default.css" rel="stylesheet">

    <!-- Le HTML5 shim, for IE6-8 support of HTML5 elements -->
    <!--[if lt IE 9]>
      <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
    <![endif]-->
  <body onload="prettyPrint()" class="permissions-page">

  <div class="wrapper">

    <div class="navbar navbar-inverse navbar-fixed-top">
      <div class="navbar-inner">
        <div class="container-fluid">
            <a class="repo-link btn btn-primary btn-small" href="https://github.com/tomchristie/django-rest-framework/tree/restframework2">GitHub</a>
          <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </a>
          <a class="brand" href="http://tomchristie.github.com/django-rest-framework">Django REST framework</a>
          <div class="nav-collapse collapse">
            <ul class="nav">
              <li><a href="http://tomchristie.github.com/django-rest-framework">Home</a></li>
              <li class="dropdown">
                <a href="#" class="dropdown-toggle" data-toggle="dropdown">Tutorial <b class="caret"></b></a>
                <ul class="dropdown-menu">
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/quickstart">Quickstart</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/1-serialization">1 - Serialization</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/2-requests-and-responses">2 - Requests and responses</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/3-class-based-views">3 - Class based views</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/4-authentication-permissions-and-throttling">4 - Authentication, permissions and throttling</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/5-relationships-and-hyperlinked-apis">5 - Relationships and hyperlinked APIs</a></li>
                  <!-- <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/6-resource-orientated-projects">6 - Resource orientated projects</a></li> -->
                </ul>
              </li>
              <li class="dropdown">
                <a href="#" class="dropdown-toggle" data-toggle="dropdown">API Guide <b class="caret"></b></a>
                <ul class="dropdown-menu">
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/requests">Requests</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/responses">Responses</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/views">Views</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/generic-views">Generic views</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/parsers">Parsers</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/renderers">Renderers</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/serializers">Serializers</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/fields">Serializer fields</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/authentication">Authentication</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/permissions">Permissions</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/throttling">Throttling</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/pagination">Pagination</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/content-negotiation">Content negotiation</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/format-suffixes">Format suffixes</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/reverse">Returning URLs</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/exceptions">Exceptions</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/status-codes">Status codes</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/settings">Settings</a></li>
                </ul>
              </li>
              <li class="dropdown">
                <a href="#" class="dropdown-toggle" data-toggle="dropdown">Topics <b class="caret"></b></a>
                <ul class="dropdown-menu">
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/csrf">Working with AJAX and CSRF</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/browser-enhancements">Browser enhancements</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/browsable-api">The Browsable API</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/rest-hypermedia-hateoas">REST, Hypermedia & HATEOAS</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/contributing">Contributing to REST framework</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/migration">2.0 Migration Guide</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/release-notes">Release Notes</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/credits">Credits</a></li>
                </ul>
              </li>
            </ul>
            <ul class="nav pull-right">
              <!-- TODO
              <li class="dropdown">
                <a href="#" class="dropdown-toggle" data-toggle="dropdown">Version: 2.0.0 <b class="caret"></b></a>
                <ul class="dropdown-menu">
                  <li><a href="#">Trunk</a></li>
                  <li><a href="#">2.0.0</a></li>
                </ul>
              </li>
            -->
            </ul>
          </div><!--/.nav-collapse -->
        </div>
      </div>
    </div>

    <div class="body-content">
      <div class="container-fluid">
        <div class="row-fluid">

          <div class="span3">
            <!-- TODO
            <p style="margin-top: -12px">
              <a class="btn btn-mini btn-primary" style="width: 60px">&laquo; previous</a>
              <a class="btn btn-mini btn-primary" style="float: right; margin-right: 8px; width: 60px;">next &raquo;</a>
            </p>
          -->
            <div id="table-of-contents">
              <ul class="nav nav-list side-nav well sidebar-nav-fixed">
                <li class="main"><a href="#permissions">Permissions</a></li>
<li><a href="#how-permissions-are-determined">How permissions are determined</a></li>
<li><a href="#object-level-permissions">Object level permissions</a></li>
<li><a href="#setting-the-permission-policy">Setting the permission policy</a></li>
<li class="main"><a href="#api-reference">API Reference</a></li>
<li><a href="#isauthenticated">IsAuthenticated</a></li>
<li><a href="#isadminuser">IsAdminUser</a></li>
<li><a href="#isauthenticatedorreadonly">IsAuthenticatedOrReadOnly</a></li>
<li><a href="#djangomodelpermissions">DjangoModelPermissions</a></li>
<li class="main"><a href="#custom-permissions">Custom permissions</a></li>

              </ul>
            </div>
          </div>

          <div id="main-content" class="span9">
            <p><a class="github" href="https://github.com/tomchristie/django-rest-framework/blob/restframework2/rest_framework/permissions.py"><span class="label label-info">permissions.py</span></a></p>
<h1 id="permissions">Permissions</h1>
<blockquote>
<p>Authentication or identification by itself is not usually sufficient to gain access to information or code. For that, the entity requesting access must have authorization.</p>
<p>&mdash; <a href="https://developer.apple.com/library/mac/#documentation/security/Conceptual/AuthenticationAndAuthorizationGuide/Authorization/Authorization.html">Apple Developer Documentation</a></p>
</blockquote>
<p>Together with <a href="authentication">authentication</a> and <a href="throttling">throttling</a>, permissions determine wheter a request should be granted or denied access.</p>
<p>Permission checks are always run at the very start of the view, before any other code is allowed to proceed.  Permission checks will typically use the authentication information in the <code>request.user</code> and <code>request.auth</code> properties to determine if the incoming request should be permitted.</p>
<h2 id="how-permissions-are-determined">How permissions are determined</h2>
<p>Permissions in REST framework are always defined as a list of permission classes.<br />
</p>
<p>Before running the main body of the view each permission in the list is checked.
If any permission check fails an <code>exceptions.PermissionDenied</code> exception will be raised, and the main body of the view will not run.</p>
<h2 id="object-level-permissions">Object level permissions</h2>
<p>REST framework permissions also support object-level permissioning.  Object level permissions are used to determine if a user should be allowed to act on a particular object, which will typically be a model instance.</p>
<p>Object level permissions are run by REST framework's generic views when <code>.get_object()</code> is called.  As with view level permissions, an <code>exceptions.PermissionDenied</code> exception will be raised if the user is not allowed to act on the given object.</p>
<h2 id="setting-the-permission-policy">Setting the permission policy</h2>
<p>The default permission policy may be set globally, using the <code>DEFAULT_PERMISSION_CLASSES</code> setting.  For example.</p>
<pre class="prettyprint lang-py"><code>REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    )
}
</code></pre>
<p>You can also set the authentication policy on a per-view basis, using the <code>APIView</code> class based views.</p>
<pre class="prettyprint lang-py"><code>class ExampleView(APIView):
    permission_classes = (IsAuthenticated,)

    def get(self, request, format=None):
        content = {
            'status': 'request was permitted'
        }
        return Response(content)
</code></pre>
<p>Or, if you're using the <code>@api_view</code> decorator with function based views.</p>
<pre class="prettyprint lang-py"><code>@api_view('GET')
@permission_classes(IsAuthenticated)
def example_view(request, format=None):
    content = {
        'status': 'request was permitted'
    }
    return Response(content)
</code></pre>
<hr />
<h1 id="api-reference">API Reference</h1>
<h2 id="isauthenticated">IsAuthenticated</h2>
<p>The <code>IsAuthenticated</code> permission class will deny permission to any unauthenticated user, and allow permission otherwise.</p>
<p>This permission is suitable if you want your API to only be accessible to registered users.</p>
<h2 id="isadminuser">IsAdminUser</h2>
<p>The <code>IsAdminUser</code> permission class will deny permission to any user, unless <code>user.is_staff</code>is <code>True</code> in which case permission will be allowed.</p>
<p>This permission is suitable is you want your API to only be accessible to a subset of trusted administrators.</p>
<h2 id="isauthenticatedorreadonly">IsAuthenticatedOrReadOnly</h2>
<p>The <code>IsAuthenticatedOrReadOnly</code> will allow authenticated users to perform any request.  Requests for unauthorised users will only be permitted if the request method is one of the "safe" methods; <code>GET</code>, <code>HEAD</code> or <code>OPTIONS</code>.</p>
<p>This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users.</p>
<h2 id="djangomodelpermissions">DjangoModelPermissions</h2>
<p>This permission class ties into Django's standard <code>django.contrib.auth</code> <a href="https://docs.djangoproject.com/en/1.0/topics/auth/#permissions">model permissions</a>.  When applied to a view that has a <code>.model</code> property, authorization will only be granted if the user has the relevant model permissions assigned.</p>
<ul>
<li><code>POST</code> requests require the user to have the <code>add</code> permission on the model.</li>
<li><code>PUT</code> and <code>PATCH</code> requests require the user to have the <code>change</code> permission on the model.</li>
<li><code>DELETE</code> requests require the user to have the <code>delete</code> permission on the model.</li>
</ul>
<p>The default behaviour can also be overridden to support custom model permissions.  For example, you might want to include a <code>view</code> model permission for <code>GET</code> requests.</p>
<p>To use custom model permissions, override <code>DjangoModelPermissions</code> and set the <code>.perms_map</code> property.  Refer to the source code for details.</p>
<p>The <code>DjangoModelPermissions</code> class also supports object-level permissions.  Third-party authorization backends such as <a href="https://github.com/lukaszb/django-guardian">django-guardian</a> that provide object-level permissions should work just fine with <code>DjangoModelPermissions</code> without any custom configuration required.</p>
<hr />
<h1 id="custom-permissions">Custom permissions</h1>
<p>To implement a custom permission, override <code>BasePermission</code> and implement the <code>.has_permission(self, request, view, obj=None)</code> method.</p>
<p>The method should return <code>True</code> if the request should be granted access, and <code>False</code> otherwise.</p>
          </div><!--/span-->
        </div><!--/row-->
      </div><!--/.fluid-container-->
    </div><!--/.body content-->

      <div id="push"></div>
  </div><!--/.wrapper -->

  <footer class="span12">
    <p>Sponsored by <a href="http://dabapps.com/">DabApps</a>.</a></p>
  </footer>

    <!-- Le javascript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script src="http://tomchristie.github.com/django-rest-framework/js/jquery-1.8.1-min.js"></script>
    <script src="http://tomchristie.github.com/django-rest-framework/js/prettify-1.0.js"></script>
    <script src="http://tomchristie.github.com/django-rest-framework/js/bootstrap-2.1.1-min.js"></script>
    <script>
      //$('.side-nav').scrollspy()
      var shiftWindow = function() { scrollBy(0, -50) };
      if (location.hash) shiftWindow();
      window.addEventListener("hashchange", shiftWindow);

      $('.dropdown-menu').on('click touchstart', function(event) {
        event.stopPropagation();
      });
    </script>
</body></html>
First docs build 2012-09-02 00:24:33 +04:00			`<!DOCTYPE html>`
			`<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">`
			`<meta charset="utf-8">`
			`<title>Django REST framework</title>`
Add favicon 2012-10-05 18:26:53 +04:00			`<link href="http://tomchristie.github.com/django-rest-framework/img/favicon.ico" rel="icon" type="image/x-icon">`
First docs build 2012-09-02 00:24:33 +04:00			`<meta name="viewport" content="width=device-width, initial-scale=1.0">`
			`<meta name="description" content="">`
			`<meta name="author" content="">`

			`<!-- Le styles -->`
Code highlighting 2012-09-08 23:24:07 +04:00			`<link href="http://tomchristie.github.com/django-rest-framework/css/prettify.css" rel="stylesheet">`
Fix base URL 2012-09-02 00:37:41 +04:00			`<link href="http://tomchristie.github.com/django-rest-framework/css/bootstrap.css" rel="stylesheet">`
			`<link href="http://tomchristie.github.com/django-rest-framework/css/bootstrap-responsive.css" rel="stylesheet">`
Latest docs build 2012-09-13 12:40:09 +04:00			`<link href="http://tomchristie.github.com/django-rest-framework/css/default.css" rel="stylesheet">`
First docs build 2012-09-02 00:24:33 +04:00
			`<!-- Le HTML5 shim, for IE6-8 support of HTML5 elements -->`
			`<!--[if lt IE 9]>`
			`<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>`
			`<![endif]-->`
Latest docs build 2012-10-01 19:27:59 +04:00			`<body onload="prettyPrint()" class="permissions-page">`
First docs build 2012-09-02 00:24:33 +04:00
Docs tweaks 2012-10-05 22:27:27 +04:00			`<div class="wrapper">`

First docs build 2012-09-02 00:24:33 +04:00			`<div class="navbar navbar-inverse navbar-fixed-top">`
			`<div class="navbar-inner">`
			`<div class="container-fluid">`
Latest docs build 2012-09-12 16:12:00 +04:00			`<a class="repo-link btn btn-primary btn-small" href="https://github.com/tomchristie/django-rest-framework/tree/restframework2">GitHub</a>`
First docs build 2012-09-02 00:24:33 +04:00			`<a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">`
			`<span class="icon-bar"></span>`
			`<span class="icon-bar"></span>`
			`<span class="icon-bar"></span>`
			`</a>`
Fix base URL 2012-09-02 00:37:41 +04:00			`<a class="brand" href="http://tomchristie.github.com/django-rest-framework">Django REST framework</a>`
First docs build 2012-09-02 00:24:33 +04:00			`<div class="nav-collapse collapse">`
			`<ul class="nav">`
Fix base URL 2012-09-02 00:37:41 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework">Home</a></li>`
First docs build 2012-09-02 00:24:33 +04:00			`<li class="dropdown">`
			`<a href="#" class="dropdown-toggle" data-toggle="dropdown">Tutorial <b class="caret"></b></a>`
			`<ul class="dropdown-menu">`
Added quickstart guide 2012-10-09 15:01:56 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/quickstart">Quickstart</a></li>`
Fix base URL 2012-09-02 00:37:41 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/1-serialization">1 - Serialization</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/2-requests-and-responses">2 - Requests and responses</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/3-class-based-views">3 - Class based views</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/4-authentication-permissions-and-throttling">4 - Authentication, permissions and throttling</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/5-relationships-and-hyperlinked-apis">5 - Relationships and hyperlinked APIs</a></li>`
Remove 'tut 6 - resources' from the docs, since it doesn't exist yet 2012-10-10 12:36:47 +04:00			`<!-- <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/6-resource-orientated-projects">6 - Resource orientated projects</a></li> -->`
First docs build 2012-09-02 00:24:33 +04:00			`</ul>`
			`</li>`
			`<li class="dropdown">`
			`<a href="#" class="dropdown-toggle" data-toggle="dropdown">API Guide <b class="caret"></b></a>`
			`<ul class="dropdown-menu">`
Fix base URL 2012-09-02 00:37:41 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/requests">Requests</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/responses">Responses</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/views">Views</a></li>`
Latest docs build 2012-09-12 13:14:01 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/generic-views">Generic views</a></li>`
Fix base URL 2012-09-02 00:37:41 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/parsers">Parsers</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/renderers">Renderers</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/serializers">Serializers</a></li>`
Add serializer fields documentation 2012-10-05 20:10:33 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/fields">Serializer fields</a></li>`
Fix base URL 2012-09-02 00:37:41 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/authentication">Authentication</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/permissions">Permissions</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/throttling">Throttling</a></li>`
Latest docs build 2012-10-01 19:27:59 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/pagination">Pagination</a></li>`
Latest docs build 2012-09-12 13:14:01 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/content-negotiation">Content negotiation</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/format-suffixes">Format suffixes</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/reverse">Returning URLs</a></li>`
Fix base URL 2012-09-02 00:37:41 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/exceptions">Exceptions</a></li>`
			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/status-codes">Status codes</a></li>`
Latest build 2012-09-05 16:05:36 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/settings">Settings</a></li>`
First docs build 2012-09-02 00:24:33 +04:00			`</ul>`
			`</li>`
			`<li class="dropdown">`
			`<a href="#" class="dropdown-toggle" data-toggle="dropdown">Topics <b class="caret"></b></a>`
			`<ul class="dropdown-menu">`
Fix base URL 2012-09-02 00:37:41 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/topics/csrf">Working with AJAX and CSRF</a></li>`
Improve documentation for requests 2012-10-13 18:09:05 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/topics/browser-enhancements">Browser enhancements</a></li>`
Docs tweaks 2012-10-13 18:35:46 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/topics/browsable-api">The Browsable API</a></li>`
Added migration and change log docs 2012-10-08 15:19:26 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/topics/rest-hypermedia-hateoas">REST, Hypermedia & HATEOAS</a></li>`
Latest build 2012-09-05 16:05:36 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/topics/contributing">Contributing to REST framework</a></li>`
Added migration and change log docs 2012-10-08 15:19:26 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/topics/migration">2.0 Migration Guide</a></li>`
Latest docs build 2012-10-17 16:50:08 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/topics/release-notes">Release Notes</a></li>`
Fix base URL 2012-09-02 00:37:41 +04:00			`<li><a href="http://tomchristie.github.com/django-rest-framework/topics/credits">Credits</a></li>`
First docs build 2012-09-02 00:24:33 +04:00			`</ul>`
			`</li>`
			`</ul>`
			`<ul class="nav pull-right">`
Tweak docs 2012-10-09 17:13:19 +04:00			`<!-- TODO`
Latest build with work from @alecperkins 2012-09-08 11:03:30 +04:00			`<li class="dropdown">`
			`<a href="#" class="dropdown-toggle" data-toggle="dropdown">Version: 2.0.0 <b class="caret"></b></a>`
			`<ul class="dropdown-menu">`
			`<li><a href="#">Trunk</a></li>`
			`<li><a href="#">2.0.0</a></li>`
			`</ul>`
			`</li>`
Tweak docs 2012-10-09 17:13:19 +04:00			`-->`
Latest build with work from @alecperkins 2012-09-08 11:03:30 +04:00			`</ul>`
First docs build 2012-09-02 00:24:33 +04:00			`</div><!--/.nav-collapse -->`
			`</div>`
			`</div>`
			`</div>`

Docs tweaks 2012-10-05 22:27:27 +04:00			`<div class="body-content">`
			`<div class="container-fluid">`
			`<div class="row-fluid">`
DabDocs style 2012-10-05 16:22:18 +04:00
Docs tweaks 2012-10-05 22:27:27 +04:00			`<div class="span3">`
Added migration and change log docs 2012-10-08 15:19:26 +04:00			`<!-- TODO`
			`<p style="margin-top: -12px">`
			`<a class="btn btn-mini btn-primary" style="width: 60px">« previous</a>`
			`<a class="btn btn-mini btn-primary" style="float: right; margin-right: 8px; width: 60px;">next »</a>`
			`</p>`
			`-->`
Docs tweaks 2012-10-05 22:27:27 +04:00			`<div id="table-of-contents">`
			`<ul class="nav nav-list side-nav well sidebar-nav-fixed">`
			`<li class="main"><a href="#permissions">Permissions</a></li>`
Latest docs build 2012-09-12 13:14:01 +04:00			`<li><a href="#how-permissions-are-determined">How permissions are determined</a></li>`
			`<li><a href="#object-level-permissions">Object level permissions</a></li>`
			`<li><a href="#setting-the-permission-policy">Setting the permission policy</a></li>`
Latest docs build 2012-10-17 16:50:08 +04:00			`<li class="main"><a href="#api-reference">API Reference</a></li>`
Latest docs build 2012-09-12 13:14:01 +04:00			`<li><a href="#isauthenticated">IsAuthenticated</a></li>`
			`<li><a href="#isadminuser">IsAdminUser</a></li>`
			`<li><a href="#isauthenticatedorreadonly">IsAuthenticatedOrReadOnly</a></li>`
			`<li><a href="#djangomodelpermissions">DjangoModelPermissions</a></li>`
Latest docs build 2012-10-17 16:50:08 +04:00			`<li class="main"><a href="#custom-permissions">Custom permissions</a></li>`
Add links to source files in docs 2012-09-09 01:06:49 +04:00
Docs tweaks 2012-10-05 22:27:27 +04:00			`</ul>`
			`</div>`
Latest build with work from @alecperkins 2012-09-08 11:03:30 +04:00			`</div>`
First docs build 2012-09-02 00:24:33 +04:00
Docs tweaks 2012-10-05 22:27:27 +04:00			`<div id="main-content" class="span9">`
			`<p><a class="github" href="https://github.com/tomchristie/django-rest-framework/blob/restframework2/rest_framework/permissions.py"><span class="label label-info">permissions.py</span></a></p>`
Add links to source files in docs 2012-09-09 01:06:49 +04:00			`<h1 id="permissions">Permissions</h1>`
Latest docs build 2012-09-12 13:14:01 +04:00			`<blockquote>`
			`<p>Authentication or identification by itself is not usually sufficient to gain access to information or code. For that, the entity requesting access must have authorization.</p>`
			`<p>— <a href="https://developer.apple.com/library/mac/#documentation/security/Conceptual/AuthenticationAndAuthorizationGuide/Authorization/Authorization.html">Apple Developer Documentation</a></p>`
			`</blockquote>`
			`<p>Together with <a href="authentication">authentication</a> and <a href="throttling">throttling</a>, permissions determine wheter a request should be granted or denied access.</p>`
			`<p>Permission checks are always run at the very start of the view, before any other code is allowed to proceed. Permission checks will typically use the authentication information in the <code>request.user</code> and <code>request.auth</code> properties to determine if the incoming request should be permitted.</p>`
			`<h2 id="how-permissions-are-determined">How permissions are determined</h2>`
Latest docs build 2012-09-13 12:40:09 +04:00			`<p>Permissions in REST framework are always defined as a list of permission classes.<br />`
			`</p>`
			`<p>Before running the main body of the view each permission in the list is checked.`
			`If any permission check fails an <code>exceptions.PermissionDenied</code> exception will be raised, and the main body of the view will not run.</p>`
Latest docs build 2012-09-12 13:14:01 +04:00			`<h2 id="object-level-permissions">Object level permissions</h2>`
			`<p>REST framework permissions also support object-level permissioning. Object level permissions are used to determine if a user should be allowed to act on a particular object, which will typically be a model instance.</p>`
			`<p>Object level permissions are run by REST framework's generic views when <code>.get_object()</code> is called. As with view level permissions, an <code>exceptions.PermissionDenied</code> exception will be raised if the user is not allowed to act on the given object.</p>`
			`<h2 id="setting-the-permission-policy">Setting the permission policy</h2>`
Latest docs build 2012-10-19 23:00:35 +04:00			`<p>The default permission policy may be set globally, using the <code>DEFAULT_PERMISSION_CLASSES</code> setting. For example.</p>`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:07:16 +04:00			`<pre class="prettyprint lang-py"><code>REST_FRAMEWORK = {`
Latest docs build 2012-10-19 23:00:35 +04:00			`'DEFAULT_PERMISSION_CLASSES': (`
Change package name: djangorestframework -> rest_framework 2012-09-20 16:07:16 +04:00			`'rest_framework.permissions.IsAuthenticated',`
Latest docs build 2012-09-12 13:14:01 +04:00			`)`
			`}`
			`</code></pre>`
			`<p>You can also set the authentication policy on a per-view basis, using the <code>APIView</code> class based views.</p>`
			`<pre class="prettyprint lang-py"><code>class ExampleView(APIView):`
			`permission_classes = (IsAuthenticated,)`

			`def get(self, request, format=None):`
			`content = {`
			`'status': 'request was permitted'`
			`}`
			`return Response(content)`
			`</code></pre>`
			`<p>Or, if you're using the <code>@api_view</code> decorator with function based views.</p>`
			`<pre class="prettyprint lang-py"><code>@api_view('GET')`
			`@permission_classes(IsAuthenticated)`
			`def example_view(request, format=None):`
			`content = {`
			`'status': 'request was permitted'`
			`}`
			`return Response(content)`
			`</code></pre>`
Latest docs build 2012-10-19 23:00:35 +04:00			`<hr />`
Latest docs build 2012-10-17 16:50:08 +04:00			`<h1 id="api-reference">API Reference</h1>`
Latest docs build 2012-09-12 13:14:01 +04:00			`<h2 id="isauthenticated">IsAuthenticated</h2>`
			`<p>The <code>IsAuthenticated</code> permission class will deny permission to any unauthenticated user, and allow permission otherwise.</p>`
			`<p>This permission is suitable if you want your API to only be accessible to registered users.</p>`
			`<h2 id="isadminuser">IsAdminUser</h2>`
			`<p>The <code>IsAdminUser</code> permission class will deny permission to any user, unless <code>user.is_staff</code>is <code>True</code> in which case permission will be allowed.</p>`
			`<p>This permission is suitable is you want your API to only be accessible to a subset of trusted administrators.</p>`
			`<h2 id="isauthenticatedorreadonly">IsAuthenticatedOrReadOnly</h2>`
			`<p>The <code>IsAuthenticatedOrReadOnly</code> will allow authenticated users to perform any request. Requests for unauthorised users will only be permitted if the request method is one of the "safe" methods; <code>GET</code>, <code>HEAD</code> or <code>OPTIONS</code>.</p>`
			`<p>This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users.</p>`
			`<h2 id="djangomodelpermissions">DjangoModelPermissions</h2>`
Latest docs build 2012-09-12 16:12:00 +04:00			`<p>This permission class ties into Django's standard <code>django.contrib.auth</code> <a href="https://docs.djangoproject.com/en/1.0/topics/auth/#permissions">model permissions</a>. When applied to a view that has a <code>.model</code> property, authorization will only be granted if the user has the relevant model permissions assigned.</p>`
			`<ul>`
			`<li><code>POST</code> requests require the user to have the <code>add</code> permission on the model.</li>`
			`<li><code>PUT</code> and <code>PATCH</code> requests require the user to have the <code>change</code> permission on the model.</li>`
			`<li><code>DELETE</code> requests require the user to have the <code>delete</code> permission on the model.</li>`
			`</ul>`
			`<p>The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a <code>view</code> model permission for <code>GET</code> requests.</p>`
			`<p>To use custom model permissions, override <code>DjangoModelPermissions</code> and set the <code>.perms_map</code> property. Refer to the source code for details.</p>`
Latest docs build 2012-09-13 12:40:09 +04:00			`<p>The <code>DjangoModelPermissions</code> class also supports object-level permissions. Third-party authorization backends such as <a href="https://github.com/lukaszb/django-guardian">django-guardian</a> that provide object-level permissions should work just fine with <code>DjangoModelPermissions</code> without any custom configuration required.</p>`
Latest docs build 2012-10-19 23:00:35 +04:00			`<hr />`
Latest docs build 2012-10-17 16:50:08 +04:00			`<h1 id="custom-permissions">Custom permissions</h1>`
Improve documentation for requests 2012-10-13 18:09:05 +04:00			`<p>To implement a custom permission, override <code>BasePermission</code> and implement the <code>.has_permission(self, request, view, obj=None)</code> method.</p>`
Latest docs build 2012-09-12 13:14:01 +04:00			`<p>The method should return <code>True</code> if the request should be granted access, and <code>False</code> otherwise.</p>`
Docs tweaks 2012-10-05 22:27:27 +04:00			`</div><!--/span-->`
			`</div><!--/row-->`
			`</div><!--/.fluid-container-->`
			`</div><!--/.body content-->`
First docs build 2012-09-02 00:24:33 +04:00
Add favicon 2012-10-05 18:26:53 +04:00			`<div id="push"></div>`
Docs tweaks 2012-10-05 22:27:27 +04:00			`</div><!--/.wrapper -->`
Add favicon 2012-10-05 18:26:53 +04:00
Docs tweaks 2012-10-05 22:27:27 +04:00			`<footer class="span12">`
DabApps in footer, not Dab Apps 2012-10-05 22:33:52 +04:00			`<p>Sponsored by <a href="http://dabapps.com/">DabApps</a>.</a></p>`
Docs tweaks 2012-10-05 22:27:27 +04:00			`</footer>`
Add favicon 2012-10-05 18:26:53 +04:00
First docs build 2012-09-02 00:24:33 +04:00			`<!-- Le javascript`
			`================================================== -->`
			`<!-- Placed at the end of the document so the pages load faster -->`
Latest build with work from @alecperkins 2012-09-08 11:03:30 +04:00			`<script src="http://tomchristie.github.com/django-rest-framework/js/jquery-1.8.1-min.js"></script>`
DabDocs style 2012-10-05 16:22:18 +04:00			`<script src="http://tomchristie.github.com/django-rest-framework/js/prettify-1.0.js"></script>`
			`<script src="http://tomchristie.github.com/django-rest-framework/js/bootstrap-2.1.1-min.js"></script>`
First docs build 2012-09-02 00:24:33 +04:00			`<script>`
Latest build with work from @alecperkins 2012-09-08 11:03:30 +04:00			`//$('.side-nav').scrollspy()`
			`var shiftWindow = function() { scrollBy(0, -50) };`
			`if (location.hash) shiftWindow();`
			`window.addEventListener("hashchange", shiftWindow);`
Latest docs build 2012-09-12 13:14:01 +04:00
Fix dropdown menu on iOS 2012-09-17 23:21:26 +04:00			`$('.dropdown-menu').on('click touchstart', function(event) {`
Latest docs build 2012-09-12 13:14:01 +04:00			`event.stopPropagation();`
			`});`
First docs build 2012-09-02 00:24:33 +04:00			`</script>`
Latest docs build 2012-10-01 19:27:59 +04:00			`</body></html>`