# Session Authentication (Default in DRF)

- Uses Django’s built-in session framework (i.e., cookies).
- Ideal for browser-based clients (e.g., via login sessions).
- The user logs in via `/admin/` or `LoginView`, and DRF tracks their session using a session cookie.

### In `settings.py`:
```python
REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.SessionAuthentication',
    ]
}
```

To use it:
- User logs in → Django sets session cookie.
- DRF uses that session to identify user for all future requests.

# Permission Classes

Permission classes control what authenticated or anonymous users can do.

### Set Globally in `settings.py`:
```python
REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
    ]
}
```

### Or set per view:
```python
from rest_framework.permissions import IsAuthenticated

class MyView(APIView):
    permission_classes = [IsAuthenticated]
```

## 1. AllowAny
- Gives access to everyone (authenticated or not).
- Default in DRF if you don’t set anything.

```python
from rest_framework.permissions import AllowAny

permission_classes = [AllowAny]
```

## 2. IsAuthenticated
- Only logged-in users (session, token, JWT) are allowed.
- Unauthenticated users get 403 Forbidden.

```python
from rest_framework.permissions import IsAuthenticated

permission_classes = [IsAuthenticated]
```

## 3. IsAdminUser
- Only users with `is_staff=True` (admin panel access) can access.
- Others get 403 Forbidden.

```python
from rest_framework.permissions import IsAdminUser

permission_classes = [IsAdminUser]
```

## 4. IsAuthenticatedOrReadOnly
- Authenticated users can do anything (GET, POST, PUT, DELETE).
- Unauthenticated users can only do safe methods (GET, HEAD, OPTIONS).

```python
from rest_framework.permissions import IsAuthenticatedOrReadOnly

permission_classes = [IsAuthenticatedOrReadOnly]
```

## 5. DjangoModelPermissions
- Uses Django model permissions like `add`, `change`, `delete`, `view`.
- Works only for authenticated users.
- Permissions are checked automatically on the request method.

| Method      | Permission Required |
|-------------|---------------------|
| GET         | view_modelname      |
| POST        | add_modelname       |
| PUT/PATCH   | change_modelname    |
| DELETE      | delete_modelname    |

```python
from rest_framework.permissions import DjangoModelPermissions

permission_classes = [DjangoModelPermissions]
```

## 6. DjangoModelPermissionsOrAnonReadOnly
- Same as above, but anonymous users can still read (GET).
- Good for public APIs that support both viewing and modifying data (but only for logged-in users).

```python
from rest_framework.permissions import DjangoModelPermissionsOrAnonReadOnly

permission_classes = [DjangoModelPermissionsOrAnonReadOnly]
```

## 7. DjangoObjectPermissions
- Fine-grained permissions.
- Requires you to define `has_object_permission()` in your view or serializer.
- Checks object-level access like: Can user view/update/delete this specific object?

```python
from rest_framework.permissions import DjangoObjectPermissions

permission_classes = [DjangoObjectPermissions]
```

# 🔁 Summary Table

| Permission Class                     | Auth Required | Read-Only for Unauth? | Uses Model Perms | Object-Level Perms |
|-------------------------------------|----------------|------------------------|-------------------|---------------------|
| AllowAny                            | ❌             | ✅                     | ❌                | ❌                  |
| IsAuthenticated                     | ✅             | ❌                     | ❌                | ❌                  |
| IsAdminUser                         | ✅ (staff)     | ❌                     | ❌                | ❌                  |
| IsAuthenticatedOrReadOnly          | ✅             | ✅                     | ❌                | ❌                  |
| DjangoModelPermissions              | ✅             | ❌                     | ✅                | ❌                  |
| DjangoModelPermissionsOrAnonReadOnly| ✅             | ✅                     | ✅                | ❌                  |
| DjangoObjectPermissions             | ✅             | ❌                     | ✅                | ✅                  |