I have a viewset in rest framework that is not behaving like I would expect. If I login with a non-staff user and navigate to the api-url/users I can see all the users listed there.

The IsAuthenticated permission is working, because if I logout I get an error saying that I am not authenticated.

Am I using these permissions wrong? I have done the tutorial and looked through the docs, but I can't find anything to tell me why this shouldn't work

views:

class UserViewSet(viewsets.ModelViewSet):
    """Viewset for viewing users. Only to be used by admins"""
    queryset = LangaLangUserProfile.objects.all()
    serializer_class = UserSerializer
    filter_backends = (filters.DjangoFilterBackend, )
    filter_fields = '__all__'
    permissions_classes = (permissions.IsAdminUser, )

class LanguageViewSet(viewsets.ReadOnlyModelViewSet):
    """Viewset for Language objects, use the proper HTTP methods to modify them"""
    queryset = Language.objects.all()
    serializer_class = LanguageSerializer
    filter_backends = (filters.DjangoFilterBackend, )
    filter_fields = '__all__'
    permissions_classes = (permissions.IsAuthenticated, )

urls:

router = routers.DefaultRouter()
router.register(r'users', views.UserViewSet)
router.register(r'language', views.LanguageViewSet)

serializers:

class UserSerializer(serializers.ModelSerializer):
    """Serializer for User objects"""
    class Meta:
        model = LangaLangUserProfile
        fields = '__all__'

class LanguageSerializer(serializers.ModelSerializer):
    """Serializer for the Language model"""
    class Meta:
        model = Language
        fields = '__all__'
        depth = 2