#Set 'IsAuthenticatedOrReadOnly' permission only for one endpoint of my view

Hi! is it possible to set permission classes for specific endpoints? I want to set the IsAuthenticatedOrReadOnly permission for two of my endpoints and not for the entire class, is that possible? or are there any other solutions to let any user get the data without being authenticated for my 2 endpoints without altering the permissions of the rest of the class?

# I HAVE THIS CLASS
class CampaignViewSet(viewsets.ModelViewSet):
    permission_classes = (IsAuthenticated,) # WITH THIS PERMISSION
    serializer_class = CampaignSerializer
    queryset = Campaign.objects.all()

 @action(detail=False, methods=['GET'])
    def available(self, request):
      # SOMETHING HERE

@action(detail=False, methods=['GET'])
    def my_campaigns(self, request):
      # SOMETHING HERE

@action(detail=True, methods=['GET'])
    def teams(self, request, pk):
      # SOMETHING HERE

@action(detail=True, methods=['GET'])
    def participant_details(self, request, pk):
      # SOMETHING HERE

@action(detail=True, methods=['GET'])
    def all_campaigns(self, request):
      # NOW, IN THIS ENDPOINT I WANT A DIFFERENT PERMISSION I DON'T KNOW, SOMETHING LIKE THIS:
      permission_classes = [IsAuthenticatedOrReadOnly]

I think the action decorator takes permission_classes as a parameter. Probably worth checking the docs and/or the code.

ohh really? I'll check on that thank you!!

Yeah, it's in one of the examples on https://www.django-rest-framework.org/api-guide/viewsets/#marking-extra-actions-for-routing it didn't have a linkable anchor for me to link you to directly.

Thanks!

@fickle cove did you resolve this?

I am having issues related to you

This is accessing the CREATE action.. but still wont let access

yeah

but maybe your problem is different, because it says that you are not giving the credentials

well anyway, what I did was using the decorator for the permission as CodenameTim said

here's the example:

@action(detail=True, methods=['GET'], permission_classes=[IsAuthenticatedOrReadOnly])
    def team_ranking(self, request, pk):
        campaign = self.get_object()
        teams = Team.objects.filter(campaign=campaign)
        data = TeamRankingSerializer(teams, many=True).data
        return Response(data=data, status=status.HTTP_200_OK)

so do you still have a class attribute for permission_classes?

yes

for the entire file it has the defaul permissions I set

but for that endpoint it usses the IsAuthenticatedOrReadOnly permission, that allows everyone to acces the endpoint if it is read only

hmm. Have you ever heard of the get_permissions() function for a ViewSet?

usually I believe it is the thing designed to be overwritten and handle custom permissions for different actions

hmm no I haven't heard of it sorry :/

https://www.django-rest-framework.org/api-guide/viewsets/#introspecting-viewset-actions

ok so maybe the problem is with the credentials

not the permissions

I mean AllowAny shouldn't require credentials at all right

or maybe with the permission you are setting

I'm not passing any credentials

are you using something for credentials?

like a JWT or somehting?

google auth?

Currently nothing lol

hmm idk then

I want to just do like HTTP -a username='xxxx' password='xxxx' POST req ... when it requires authentication

I was thinking that something was overriding the AllowAny permission

You're probably right

I think I identified the problem...

but idk how to fix

I changed it from an else to an elif for the rest of the actions

and now apparently it isn't assigned

I'm not sure I am knowledgeable enough to help you sorry :/

just a student here hehe