API restriction to only allow get methods for token users.

I am curious to know how I can restrict apis with token authentication so they can only access get methods of APIs.

Thanks in advance

I’d start with looking at the Custom Permissions section of the Permissions page. One of the examples further down appears to be pretty close to what you’re looking to achieve.

1 Like

Thank you for the advice.
Now I wrote that custom permission class and I tested it with a single ViewSet.
I need to cover the all apis of whole app with this permission class so that every ViewSet allows token users only get method.
At this point, my question is if I have to loop through all ViewSets or APIViews and add the custom permission class one by one or is there anyway that I can apply this custom permission in a single shot with something like middleware or whatever.
I appreciate any advice.

The Permissions page has a section on setting a default permission policy globally. I suspect that’s what you want. If it doesn’t work for you, let me know where it’s falling short.

1 Like

Yes, I think that’s exactly what I want.
But I noticed that global permissions are not applied to those API views or viewsets which have permission_classes defined.
Is it intended by Django?

Correct. A class-specified setting would override the global setting, not add to it.

2 Likes