Add authentication and permissions

Author: rgs258

drf_endpoint_examples/settings.py

@@ -39,6 +39,7 @@
     "django.contrib.staticfiles",
     "endpoints",
     "rest_framework",
+    "rest_framework.authtoken",
     "drf_api_logger",
 ]
 

endpoints/admin.py

@@ -1,6 +1,9 @@
 # Register your models here.
 
 from django.contrib import admin
+from django.utils.safestring import mark_safe
+from rest_framework.authtoken.admin import TokenAdmin
+from rest_framework.authtoken.models import TokenProxy
 
 from .models import Customer, Product, Order, Address, Review
 
@@ -9,3 +12,41 @@
 admin.site.register(Order)
 admin.site.register(Address)
 admin.site.register(Review)
+
+
+class ExtendedTokenAdmin(TokenAdmin):
+    readonly_fields = ("created",)
+    list_display = ("key", "user", "created")
+    fields = None
+    fieldsets = (
+        (
+            None,
+            {
+                "fields": ("key", "user", "created"),
+                "description": mark_safe(
+                    "There is no Change permission; please instead delete, and then "
+                    "re-add, the `Token`."
+                ),
+            },
+        ),
+    )
+
+    def get_form(self, request, obj=None, change=False, **kwargs):
+        form = super().get_form(request, obj, change, **kwargs)
+        if form.base_fields.get("key", None):
+            form.base_fields["key"].initial = TokenProxy.generate_key()
+        return form
+
+    def has_change_permission(self, request, obj=None):
+        return False
+
+    def has_add_permission(self, request, obj=None):
+        return request.user.is_superuser
+
+    def has_delete_permission(self, request, obj=None):
+        return request.user.is_superuser
+
+
+# unregister and register again
+admin.site.unregister(TokenProxy)
+admin.site.register(TokenProxy, ExtendedTokenAdmin)

endpoints/viewsets.py

@@ -1,5 +1,8 @@
 from rest_framework import viewsets
+from rest_framework.authentication import TokenAuthentication
+from rest_framework.settings import api_settings
 
+from drf_endpoint_examples.drf import ObjectIsAdminUser, AllVerbDjangoModelPermissions
 from drf_endpoint_examples.openapi import ChoicesAutoSchema
 from endpoints.models import Customer, Product, Order, Address, Review
 from endpoints.serializers import (
@@ -10,32 +13,48 @@
     ReviewSerializer,
 )
 
+PERMISSION_CLASSES = [ObjectIsAdminUser | AllVerbDjangoModelPermissions]
+AUTHENTICATION_CLASSES = [
+    *api_settings.DEFAULT_AUTHENTICATION_CLASSES,
+    TokenAuthentication,
+]
+
 
 class CustomerViewSet(viewsets.ModelViewSet):
+    authentication_classes = AUTHENTICATION_CLASSES
+    permission_classes = PERMISSION_CLASSES
     queryset = Customer.objects.all()
     serializer_class = CustomerSerializer
     schema = ChoicesAutoSchema()
 
 
 class ProductViewSet(viewsets.ModelViewSet):
+    authentication_classes = AUTHENTICATION_CLASSES
+    permission_classes = PERMISSION_CLASSES
     queryset = Product.objects.all()
     serializer_class = ProductSerializer
     schema = ChoicesAutoSchema()
 
 
 class OrderViewSet(viewsets.ModelViewSet):
+    authentication_classes = AUTHENTICATION_CLASSES
+    permission_classes = PERMISSION_CLASSES
     queryset = Order.objects.all()
     serializer_class = OrderSerializer
     schema = ChoicesAutoSchema()
 
 
 class AddressViewSet(viewsets.ModelViewSet):
+    authentication_classes = AUTHENTICATION_CLASSES
+    permission_classes = PERMISSION_CLASSES
     queryset = Address.objects.all()
     serializer_class = AddressSerializer
     schema = ChoicesAutoSchema()
 
 
 class ReviewViewSet(viewsets.ModelViewSet):
+    authentication_classes = AUTHENTICATION_CLASSES
+    permission_classes = PERMISSION_CLASSES
     queryset = Review.objects.all()
     serializer_class = ReviewSerializer
     schema = ChoicesAutoSchema()