django-rest-frameworkpermissionsdjango-permissionsdjango-rest-framework-jwt

View specified permission isn't replaced by default permission class


When I set default permission settings to

"DEFAULT_PERMISSION_CLASSES": [
        "rest_framework.permissions.AllowAny",
    ],

and then define different permission for views like

@requires_csrf_token
@permission_classes([IsAuthenticated])
@api_view(["POST"])
def logout(request):
    pass

I expected the view permission to be set as IsAuthenticated. But it behaves as AllowAny.


Solution

  • As mentioned in the documentation, your @permission_classes decorator

    must come after (below) the @api_view decorator

    So I would rather try:

    @requires_csrf_token
    @api_view(["POST"])
    @permission_classes([IsAuthenticated])
    def logout(request):
        pass