tfranzel / drf-spectacular

Sane and flexible OpenAPI 3 schema generation for Django REST framework.
https://drf-spectacular.readthedocs.io
BSD 3-Clause "New" or "Revised" License
2.38k stars 264 forks source link

Not working with IsAdminUser #708

Closed theblueskies closed 2 years ago

theblueskies commented 2 years ago

Describe the bug The goal was to enable permissions to the swagger docs only when the user is an Admin user. I updated SERVE_PERMISSIONS to ['rest_framework.permissions.IsAdminUser'] . Even when I am logged in as admin user, I get a 403 response.

To Reproduce

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'jwt_tokens.authenticators.JWTAuthentication', # This is a custom authenticator
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.BasicAuthentication',
    ),
    'TEST_REQUEST_DEFAULT_FORMAT': 'json',
    'DEFAULT_SCHEMA_CLASS': 'drf_spectacular.openapi.AutoSchema',
}

SPECTACULAR_SETTINGS = {
    'TITLE': 'App API',
    'DESCRIPTION': 'Swagger for App API',
    'VERSION': '1.0.0',
    'SERVE_INCLUDE_SCHEMA': False,
    'SERVE_PERMISSIONS': ['rest_framework.permissions.IsAdminUser'],
    # OTHER SETTINGS
}
urlpatterns = [
    path('docs-json/', SpectacularAPIView.as_view(), name='schema'),
    path('docs/swagger-ui/', SpectacularSwaggerView.as_view(url_name='schema'), name='swagger-ui'),
    path('docs/redoc/', SpectacularRedocView.as_view(url_name='schema'), name='redoc'),

Expected behavior When the user is logged in as an admin user, they should be able to see the swagger docs. For any other case, it should be a 403.

theblueskies commented 2 years ago

Closing because the issue was not related to drf-spectacular. it was the ordering of DEFAULT_AUTHENTICATION_CLASSES.