Django-rest-framework permissions for create in viewset

Question

I am trying to create a REST API and am stuck at user registration: basically I need to have the access token before I register.

This is the view:

cl         


        

Answer 1

Customize the get_queryset method:

def get_queryset(self):
    if self.request.user.is_superuser:
        return User.objects.all()
    else:
        return User.objects.filter(id=self.request.user.id)

This way, an authenticated user can only retrieve, modify or delete its own object.

Specify the permission_classes = (AllowAny,) so an authenticated user can create a new one.

EDIT: further explanation from comments

Customizing the get_queryset method this way means the following:

1. Yes, non-authenticated users can send the GET request to retrieve the user list but it will be empty because the return User.objects.filter(id=self.request.user.id) ensures that only information about the authenticated user is returned.

2. The same applies for other methods, if an authenticated user tries to DELETE another user object, a detail: Not found will be returned (because the user it is trying to access is not in the queryset).

3. Authenticated users can do whatever they want to their user objects.