Django groups and permissions in API level (with django-rest-framework)

Question

Consider the following scenario;
I have a bunch of Users and API classes . I need to restrict access to each API by checking the requested user's group permissions and allow the user to do group permitted stuff.

Suppose I have a user user_xx , he belongs to group group_xx and has permissions activity | activity | Can add activity activity | activity | Can add activity activity | activity | Can add activity . When user_xx tries to access MyActivityAPI through HTTP-DELETE method the view class should restrict the access.
Can do I achieve this feature? If possible, How?

What I'd tried
Created some groups & assigned permissions to them and added users to their corresponding groups. I tried to access one of the restricted api, but it allows me to access (expected behaviour : restrict the user from the api).

UPDATE :
here is my simple views.py

class MyApi(ModelViewSet):
    permission_classes = (IsAuthenticated,)
    queryset = MyModel.objects.all()
    serializer_class = MyModelSerializer

Answer 1

As described in the docs, in order for the Django model permissions to be applied to the viewset you have to use DjangoModelPermissions :

class MyApi(ModelViewSet):
    permission_classes = (DjangoModelPermissions,)
    queryset = MyModel.objects.all()
    serializer_class = MyModelSerializer

In your previous code all actions were allowed to any authenticated user because you were using permission_classes = (IsAuthenticated,) .