Permissions

TokenHasReadWriteScope

This permission class is intended for use with either of theOAuthAuthentication andOAuth2Authentication classes, and ties into the scoping that their backends provide.

Requests with a safe methods ofGET,OPTIONS orHEAD will be allowed if the authenticated token has read permission.

Requests forPOST,PUT,PATCH andDELETE will be allowed if the authenticated token has write permission.

This permission class relies on the implementations of thedjango-oauth-plus anddjango-oauth2-provider libraries, which both provide limited support for controlling the scope of access tokens:

• django-oauth-plus: Tokens are associated with aResource class which has aname,url andis_readonly properties.
• django-oauth2-provider: Tokens are associated with a bitwisescope attribute, that defaults to providing bitwise values forread and/orwrite.

If you require more advanced scoping for your API, such as restricting tokens to accessing a subset of functionality of your API then you will need to provide a custom permission class. See the source of thedjango-oauth-plus ordjango-oauth2-provider package for more details on scoping token access.