Using a permission class on a detail route

Update-1

From DRF 3.8 onwards, detail_route decorator has replaced with action decorator.

class EventViewSet(viewsets.ModelViewSet):
    @action(permission_classes=[permissions.PermissionClass_], methods=['post'])
    def messages(self, request, pk=None):
        # your view code

Original post

You can add permissions basically by doing this:

class EventViewSet(viewsets.ModelViewSet):
    @detail_route(
        permission_classes=[
            permissions.PermissionClass_],
        methods=['post'])
    def messages(self, request, pk=None):
        ### Check a permissions class.
        ...

If you have a problem with permissions_classes in your custom actions in the ViewSet, try to use this decorator on your action. Probably the newest Django Rest Framework is not looking at permissions. Solution for this situation is to check it by yourself at the beggining of every custom action or to use following decorator:

def check_permissions(fun):
    def ref(self, request, pk=None):
        obj = get_object_or_404(self.get_queryset(), pk=pk)
        self.check_object_permissions(self.request, obj)

        return fun(self, request, pk)

    return ref