Using a permission class on a detail route
Update-1
From DRF 3.8 onwards, detail_route
decorator has replaced with action
decorator.
class EventViewSet(viewsets.ModelViewSet):
@action(permission_classes=[permissions.PermissionClass_], methods=['post'])
def messages(self, request, pk=None):
# your view code
Original post
You can add permissions basically by doing this:
class EventViewSet(viewsets.ModelViewSet):
@detail_route(
permission_classes=[
permissions.PermissionClass_],
methods=['post'])
def messages(self, request, pk=None):
### Check a permissions class.
...
If you have a problem with permissions_classes in your custom actions in the ViewSet, try to use this decorator on your action. Probably the newest Django Rest Framework is not looking at permissions. Solution for this situation is to check it by yourself at the beggining of every custom action or to use following decorator:
def check_permissions(fun):
def ref(self, request, pk=None):
obj = get_object_or_404(self.get_queryset(), pk=pk)
self.check_object_permissions(self.request, obj)
return fun(self, request, pk)
return ref