I have a viewset
in rest framework that is not behaving like I would expect. If I login with a non-staff user and navigate to the api-url/users I can see all the users listed there.
The IsAuthenticated
permission is working, because if I logout I get an error saying that I am not authenticated.
Am I using these permissions wrong? I have done the tutorial and looked through the docs, but I can't find anything to tell me why this shouldn't work
views:
class UserViewSet(viewsets.ModelViewSet):
"""Viewset for viewing users. Only to be used by admins"""
queryset = LangaLangUserProfile.objects.all()
serializer_class = UserSerializer
filter_backends = (filters.DjangoFilterBackend, )
filter_fields = '__all__'
permissions_classes = (permissions.IsAdminUser, )
class LanguageViewSet(viewsets.ReadOnlyModelViewSet):
"""Viewset for Language objects, use the proper HTTP methods to modify them"""
queryset = Language.objects.all()
serializer_class = LanguageSerializer
filter_backends = (filters.DjangoFilterBackend, )
filter_fields = '__all__'
permissions_classes = (permissions.IsAuthenticated, )
urls:
router = routers.DefaultRouter()
router.register(r'users', views.UserViewSet)
router.register(r'language', views.LanguageViewSet)
serializers:
class UserSerializer(serializers.ModelSerializer):
"""Serializer for User objects"""
class Meta:
model = LangaLangUserProfile
fields = '__all__'
class LanguageSerializer(serializers.ModelSerializer):
"""Serializer for the Language model"""
class Meta:
model = Language
fields = '__all__'
depth = 2