diff options
| author | Tom Christie | 2014-12-18 11:21:25 +0000 |
|---|---|---|
| committer | Tom Christie | 2014-12-18 11:21:25 +0000 |
| commit | c8d88c8c8a594e3b66547a34462db4766292ea9e (patch) | |
| tree | 09d1e53c9c019501b85ff8892dca4177c95a6e0b /docs/api-guide/permissions.md | |
| parent | 47fe6977077ae33dfe2f8b6d04d81083b9b9f4d7 (diff) | |
| parent | d8803a35bd2dc8cbf4c892f68b48c72f24e83916 (diff) | |
| download | django-rest-framework-c8d88c8c8a594e3b66547a34462db4766292ea9e.tar.bz2 | |
Merge branch 'master' into version-3.1
Diffstat (limited to 'docs/api-guide/permissions.md')
| -rw-r--r-- | docs/api-guide/permissions.md | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index 6d86b72c..8731cab0 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -10,12 +10,24 @@ Together with [authentication] and [throttling], permissions determine whether a Permission checks are always run at the very start of the view, before any other code is allowed to proceed. Permission checks will typically use the authentication information in the `request.user` and `request.auth` properties to determine if the incoming request should be permitted. +Permissions are used to grant or deny access different classes of users to different parts of the API. + +The simplest style of permission would be to allow access to any authenticated user, and deny access to any unauthenticated user. This corresponds the `IsAuthenticated` class in REST framework. + +A slightly less strict style of permission would be to allow full access to authenticated users, but allow read-only access to unauthenticated users. This corresponds to the `IsAuthenticatedOrReadOnly` class in REST framework. + ## How permissions are determined Permissions in REST framework are always defined as a list of permission classes. Before running the main body of the view each permission in the list is checked. -If any permission check fails an `exceptions.PermissionDenied` exception will be raised, and the main body of the view will not run. +If any permission check fails an `exceptions.PermissionDenied` or `exceptions.NotAuthenticated` exception will be raised, and the main body of the view will not run. + +When the permissions checks fail either a "403 Forbidden" or a "401 Unauthorized" response will be returned, according to the following rules: + +* The request was successfully authenticated, but permission was denied. *— An HTTP 403 Forbidden response will be returned.* +* The request was not successfully authenticated, and the highest priority authentication class *does not* use `WWW-Authenticate` headers. *— An HTTP 403 Forbidden response will be returned.* +* The request was not successfully authenticated, and the highest priority authentication class *does* use `WWW-Authenticate` headers. *— An HTTP 401 Unauthorized response, with an appropriate `WWW-Authenticate` header will be returned.* ## Object level permissions |