diff options
| author | Tom Christie | 2013-01-15 17:53:24 +0000 |
|---|---|---|
| committer | Tom Christie | 2013-01-15 17:53:24 +0000 |
| commit | 71e55cc4f6300959398f7aef4a8d91b6a6a2af57 (patch) | |
| tree | 68c2080034263d897741da33cbc5e09746006257 /docs/api-guide/permissions.md | |
| parent | 52847a215d4e8de88e81d9ae79ce8bee9a36a9a2 (diff) | |
| parent | e1076cfb49b6293aa837cf7bdb4c11988892c598 (diff) | |
| download | django-rest-framework-71e55cc4f6300959398f7aef4a8d91b6a6a2af57.tar.bz2 | |
Merge with latest master
Diffstat (limited to 'docs/api-guide/permissions.md')
| -rw-r--r-- | docs/api-guide/permissions.md | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index 0b7b32e9..fce68f6d 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -33,6 +33,12 @@ The default permission policy may be set globally, using the `DEFAULT_PERMISSION ) } +If not specified, this setting defaults to allowing unrestricted access: + + 'DEFAULT_PERMISSION_CLASSES': ( + 'rest_framework.permissions.AllowAny', + ) + You can also set the authentication policy on a per-view basis, using the `APIView` class based views. class ExampleView(APIView): @@ -47,7 +53,7 @@ You can also set the authentication policy on a per-view basis, using the `APIVi Or, if you're using the `@api_view` decorator with function based views. @api_view('GET') - @permission_classes(IsAuthenticated) + @permission_classes((IsAuthenticated, )) def example_view(request, format=None): content = { 'status': 'request was permitted' @@ -58,6 +64,12 @@ Or, if you're using the `@api_view` decorator with function based views. # API Reference +## AllowAny + +The `AllowAny` permission class will allow unrestricted access, **regardless of if the request was authenticated or unauthenticated**. + +This permission is not strictly required, since you can achieve the same result by using an empty list or tuple for the permissions setting, but you may find it useful to specify this class because it makes the intention explicit. + ## IsAuthenticated The `IsAuthenticated` permission class will deny permission to any unauthenticated user, and allow permission otherwise. @@ -66,7 +78,7 @@ This permission is suitable if you want your API to only be accessible to regist ## IsAdminUser -The `IsAdminUser` permission class will deny permission to any user, unless `user.is_staff`is `True` in which case permission will be allowed. +The `IsAdminUser` permission class will deny permission to any user, unless `user.is_staff` is `True` in which case permission will be allowed. This permission is suitable is you want your API to only be accessible to a subset of trusted administrators. |