Django DRF login only superuser

Question

I want to implement login with Django drf. I want only superuser (is_staff permission in my user model) to be able to log in. Until now I used rest_framework_simplejwt for generating a token for every user that trying to log in.

How can I implement that only superuser will be able to log in?

Views.py: calling the serializer

class MyTokenObtainPairView(TokenObtainPairView):
serializer_class = MyTokenObtainPairSerializer

Serializer.py:

class MyTokenObtainPairSerializer(TokenObtainPairSerializer):
@classmethod
def get_token(cls, user):
    user = CustomUser.objects.get(email=user.email)
    print(colored(user, "yellow"))
    token = super().get_token(user)
    # Add custom claims
    token['username'] = user.clinic_name
    token['email'] = user.email
    # ...
    return token

In serializer.py when I'm trying to retrieve user user = CustomUser.objects.get(email=user.email) I get only the email filed back. I'm using email to retrieve user because email is a unique field.

urls.py:

urlpatterns = [
path('token/', views.MyTokenObtainPairView.as_view(), name='token_obtain_pair'),
path('token/refresh/', TokenRefreshView.as_view(), name='token_refresh'),
path('register/', views.ClinicRegistration, name='auth_register'),
path('users/', views.ClinicListView.as_view(), name='users_list'),
path('users/<pk>/', views.ClinicDetailView.as_view(), name='get_user'),
path('users/<pk>/update/', views.ClinicUpdate, name='update_user'),
path('users/<pk>/delete/', views.ClinicDeleteView.as_view(), name='delete_user'),
path('', views.getRoutes),
path('test/', views.testEndPoint, name='test')

]

In the frontend I'm using react I make an Axios.post request with the: username, password, and email fields.

This is my CustomUserModel:

class CustomUser(AbstractBaseUser, PermissionsMixin):
username = None
email = models.EmailField(_('email address'), unique=True)
clinic_name = models.CharField(max_length=150, blank=True)
is_staff = models.BooleanField(default=False)
is_active = models.BooleanField(default=True)
date_joined = models.DateTimeField(default=timezone.now)
fb_projectId = models.CharField(max_length=150, blank=True)
fb_databaseURL = models.CharField(max_length=150, blank=True)
fb_storageBucket = models.CharField(max_length=150, blank=True)
fb_locationId = models.CharField(max_length=150, blank=True)
accounts = models.BooleanField(default=True)
dashboard = models.BooleanField(default=True)
measurements = models.BooleanField(default=False)
medications = models.BooleanField(default=False)
questionnaire = models.BooleanField(default=False)
chat = models.BooleanField(default=False)

objects = CustomUserManager()

USERNAME_FIELD = 'email'
REQUIRED_FIELDS = ['clinic_name']

def __str__(self):
    return self.email

The react API call:

const loginUser = async (username, password) => {
return appAxios
  .post(`token/`, {
    username,
    password,
    email: username,
  })
  .then((res) => {
    setAuthTokens(res.data);
    setUser(jwt_decode(res.data.access));
    setApiErrors("");
    localStorage.setItem("authTokens", JSON.stringify(res.data));
    history.push("/");
  })
  .catch((err) => {
    setApiErrors(err.response.data.detail);
    history.push("/login");
  });

};

Answer 1

Why you don't use default documentation? https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#adding-required-permissions-to-views

in your case:

class MyOnlyForAdminView(drf.generics.APIView):
    ... # any view staff before
    permission_classes = [drf.permissions.IsAdminUser]
    ... # any view staff after