Django REST Framework ViewSet with Custom Actions and Permission Classes

Snippet

Django REST Framework ViewSet with Custom Actions and Permission Classes

This snippet demonstrates Django REST Framework ViewSet customization with dynamic permission handling and custom actions. The ViewSet implements action-specific permissions where retrieve and list are public, archive and stats require membership, while destroy operations need admin rights. Custom actions like archive, stats, and bulk_archive provide resource-specific endpoints with proper permission enforcement.

snippet.py
python
from rest_framework import viewsets, permissions, status
from rest_framework.decorators import action
from rest_framework.response import Response
from rest_framework.views import APIView
from django.shortcuts import get_object_or_404
from myapp.models import Project, Membership
from myapp.serializers import ProjectSerializer, ProjectStatsSerializer
from myapp.permissions import IsProjectMember, IsProjectAdmin
 
class ProjectViewSet(viewsets.ModelViewSet):
    queryset = Project.objects.all()
    serializer_class = ProjectSerializer
    permission_classes = [permissions.IsAuthenticated]
 
    def get_permissions(self):
        if self.action in ['retrieve', 'list']:
            return [permissions.AllowAny()]
        elif self.action in ['destroy', 'partial_update']:
            return [IsProjectAdmin()]
        elif self.action in ['archive', 'stats']:
            return [IsProjectMember()]
        return [permissions.IsAuthenticated()]
 
    def get_queryset(self):
        user = self.request.user
        if self.action == 'list' and not self.request.user.is_authenticated:
            return Project.objects.filter(is_public=True)
        return super().get_queryset()
 
    @action(detail=True, methods=['post'], permission_classes=[IsProjectAdmin])
    def archive(self, request, pk=None):
        project = self.get_object()
        project.is_archived = True
        project.save()
        return Response({'status': 'archived'}, status=status.HTTP_200_OK)
 
    @action(detail=True, methods=['get'], url_path='statistics')
    def stats(self, request, pk=None):
        project = self.get_object()
        data = {
            'members_count': project.membership_set.count(),
            'tasks_completed': project.tasks.filter(is_completed=True).count(),
            'total_tasks': project.tasks.count(),
        }
        serializer = ProjectStatsSerializer(data)
        return Response(serializer.data)
 
    @action(detail=False, methods=['post'])
    def bulk_archive(self, request):
        ids = request.data.get('project_ids', [])
        projects = Project.objects.filter(id__in=ids, created_by=request.user)
        updated = projects.update(is_archived=True)
        return Response({'archived_count': updated})

django

Breakdown

def get_permissions(self):

Override to return action-specific permission classes enabling fine-grained access control per endpoint

@action(detail=True, methods=['post'], permission_classes=[IsProjectAdmin])

Define custom action decorator with detail=True for instance-specific endpoint and explicit permission requirement

@action(detail=False, methods=['post'])

Create collection-level action for bulk operations without requiring a specific resource instance

IsProjectMember()

Use custom permission class that checks user's membership in the specific project being accessed

url_path='statistics'

Override URL path for the action to use 'statistics' instead of the method name 'stats'

Previous snippet Next snippet

More Expert Python exercises →

From your library

Django REST Framework ViewSet with Custom Actions and Permission Classes

Related