Django REST Framework Authentication and Permissions Part 1


In order to complete this tutorial you need to have completed the previous tutorial: Django Rest Framework Tutorial Part 4 Mixins.


After completing this tutorial you will learn how to use authentication and permissions in order for users to access your data through the Django Rest Framework.


You will need to include an additional field in the DataRow class in Add the following into the DataRow object.

owner = models.ForeignKey('auth.User', on_delete=models.CASCADE, related_name='datarow', null=True)

After this you will need to run python makemigrations data_entry but before doing so you will need to drop all the tables in your database. This can be done by simply running drop table <table1>,<table2>,.... ;. Alternatively you can removed the docker-machine and build a fresh one from scratch. I will leave this step for the user to decide.

Next we will need to test our API using different users. Make two users using python createsuperuser. For the rest of the tutorial I will refer to these users as user1 and user2.

New serializers to represent the Users will be required. In the file add the following code:

from django.contrib.auth.models import User


class DataRowSerializers(serializers.ModelSerializer):
owner = serializers.ReadOnlyField(source='owner.username')
class Meta:
fields = ('id', 'date', 'gender', 'favorite_number', 'owner')

class UserSerializer(serializers.ModelSerializer):
datarow = serializers.PrimaryKeyRelatedField(many=True, queryset = DataRow.objects.all())

class Meta:
model = User
fields = ('id', 'username', 'datarow')

We need to adjust the DataRowSerializer as there is now a foreign key mapping to the Auth.user class. This is required in order for the form that we have created throughout this tutorial to work. The default behaviour of the form is that the foreign key value will be null (no user created it).

Next we will need to make the views in order to handle the API endpoints for the users. Add the following code into your

from .serializers import UserSerializer
from django.contrib.auth.models import User

class UserList(generics.ListAPIView):
queryset = User.objects.all()
serializer_class = UserSerializer

class UserDetail(generics.RetrieveAPIView):
queryset = User.objects.all()
serializer_class = UserSerializer

The app needs to know which URL path will be directed to these new views. Add the following lines into the root conf file.

 url(r'^users/$', views.UserList.as_view()),
url(r'^users/(?P<pk>[0-9]+)/$', views.UserDetail.as_view()),

You can test that the API end points for the user work by testing it with CURL:

curl [docker-machine ip]:8000/users/
# [{"id":1,"username":"user1","datarow":[]},{"id":2,"username":"user2","datarow":[]}]

You will notice that the datarow key has an empty list. This is because no data_row objects have been mapped to any of the users yet.


You should now know how to add a user and create API endpoints for the new user object. In the next tutorial I will go over how to restrict access to the API endpoints and limit who can create new DataRow objects.

Subscribe to our mailing list

* indicates required