Permissions & Throttling

DRF permissions control who can access API endpoints. Throttling limits how often clients can make requests. Both are essential for API security and preventing abuse.

15 min•By Priygop Team•Updated 2026

Permission Classes

AllowAny â€” No restrictions
IsAuthenticated â€” Must be logged in
IsAdminUser â€” Must be staff/admin
IsAuthenticatedOrReadOnly â€” Auth for write, anyone can read
Custom permissions â€” Subclass BasePermission
Object-level permissions â€” Check per-object access
Set globally or per-view

Permissions & Throttling

# Custom permission
# from rest_framework.permissions import BasePermission

# class IsAuthorOrReadOnly(BasePermission):
#     def has_object_permission(self, request, view, obj):
#         if request.method in ['GET', 'HEAD', 'OPTIONS']:
#             return True
#         return obj.author == request.user

# Usage in ViewSet
# class PostViewSet(viewsets.ModelViewSet):
#     permission_classes = [IsAuthenticatedOrReadOnly, IsAuthorOrReadOnly]

# Throttling â€” rate limiting
# settings.py
# REST_FRAMEWORK = {
#     'DEFAULT_THROTTLE_CLASSES': [
#         'rest_framework.throttling.AnonRateThrottle',
#         'rest_framework.throttling.UserRateThrottle',
#     ],
#     'DEFAULT_THROTTLE_RATES': {
#         'anon': '100/hour',     # Anonymous users
#         'user': '1000/hour',    # Authenticated users
#     },
# }

# Custom throttle per view
# from rest_framework.throttling import UserRateThrottle
# class BurstRateThrottle(UserRateThrottle):
#     rate = '5/minute'
# class PostCreateView(generics.CreateAPIView):
#     throttle_classes = [BurstRateThrottle]

Tip

Use IsAuthenticated + custom permissions. has_object_permission() checks per-object access (e.g., only author can edit).

Diagram

Loading diagram…

QuerySets are LAZY — no DB hit until evaluated.

Common Mistake

Warning

Not implementing object-level permissions. Without has_object_permission(), any authenticated user can modify any object.

Practice Task

Note

(1) Create IsAuthorOrReadOnly permission. (2) Apply to a ViewSet. (3) Test with different users.

Quick Quiz

Key Takeaways

DRF permissions control who can access API endpoints.
AllowAny â€” No restrictions
IsAuthenticated â€” Must be logged in
IsAdminUser â€” Must be staff/admin

Topics in This Module

Permission Classes

AllowAny â€” No restrictions

IsAuthenticated â€” Must be logged in

IsAdminUser â€” Must be staff/admin

IsAuthenticatedOrReadOnly â€” Auth for write, anyone can read

Custom permissions â€” Subclass BasePermission

Object-level permissions â€” Check per-object access

Set globally or per-view

Permissions & Throttling

# Custom permission
# from rest_framework.permissions import BasePermission

# class IsAuthorOrReadOnly(BasePermission):
#     def has_object_permission(self, request, view, obj):
#         if request.method in ['GET', 'HEAD', 'OPTIONS']:
#             return True
#         return obj.author == request.user

# Usage in ViewSet
# class PostViewSet(viewsets.ModelViewSet):
#     permission_classes = [IsAuthenticatedOrReadOnly, IsAuthorOrReadOnly]

# Throttling â€” rate limiting
# settings.py
# REST_FRAMEWORK = {
#     'DEFAULT_THROTTLE_CLASSES': [
#         'rest_framework.throttling.AnonRateThrottle',
#         'rest_framework.throttling.UserRateThrottle',
#     ],
#     'DEFAULT_THROTTLE_RATES': {
#         'anon': '100/hour',     # Anonymous users
#         'user': '1000/hour',    # Authenticated users
#     },
# }

# Custom throttle per view
# from rest_framework.throttling import UserRateThrottle
# class BurstRateThrottle(UserRateThrottle):
#     rate = '5/minute'
# class PostCreateView(generics.CreateAPIView):
#     throttle_classes = [BurstRateThrottle]

Tip

Use IsAuthenticated + custom permissions. has_object_permission() checks per-object access (e.g., only author can edit).

Diagram

Loading diagram…

QuerySets are LAZY — no DB hit until evaluated.

Topics in This Module