update

core/apps/accounts/permissions.py

@@ -9,7 +9,9 @@ class IsAdminRole(BasePermission):
         if not request.user.is_authenticated:
             return False
 
-        if request.user.role != RoleChoice.ADMIN:
+        if request.user.role != RoleChoice.ADMIN or request.user.role != RoleChoice.SUPERUSER:
             raise PermissionDenied("Only admin can access this")
 
         return True
+
+

core/apps/accounts/urls.py

@@ -9,7 +9,7 @@ from .views import RegisterView, ResetPasswordView, MeView, ChangePasswordView,
 from rest_framework.routers import DefaultRouter
 
 from .views.permission import PermissionToActionViewSet, PermissionToTabViewSet, PermissionViewSet, RoleViewSet
-from core.apps.accounts.views.user import DeleteAdminUserApiView, UserDetailAPIView
+from core.apps.accounts.views.user import DeleteAdminUserApiView, UserDetailAPIView, AdminPermissionsAPIView
 
 router = DefaultRouter()
 router.register("auth", RegisterView, basename="auth")
@@ -34,4 +34,5 @@ urlpatterns = [
     path("admin/update/<int:pk>/", AdminUpdateAPIView.as_view(), name="user-update"),
     path('user/admin/<int:pk>/delete/', DeleteAdminUserApiView.as_view(), name='user-delete'),
     path('user/<int:pk>/', UserDetailAPIView.as_view(), name='user-detail'),
+    path('admin-permission/',AdminPermissionsAPIView.as_view(),name='admin-permissions'),
 ]

core/apps/accounts/views/permission.py

@@ -1,6 +1,6 @@
 from django_core.mixins import BaseViewSetMixin
 from drf_spectacular.utils import extend_schema
-from rest_framework.permissions import AllowAny, IsAdminUser
+from rest_framework.permissions import IsAdminUser
 from rest_framework.viewsets import ModelViewSet
 
 from core.apps.accounts.models.permission import PermissionToAction, PermissionToTab, Permission, Role
@@ -19,7 +19,7 @@ class PermissionToActionViewSet(BaseViewSetMixin, ModelViewSet):
     }
 
     action_permission_classes = {
-        'create': [AllowAny],
+        'create': [IsAdminUser],
         'destroy': [IsAdminUser],
     }
 

core/apps/accounts/views/user.py

@@ -97,7 +97,7 @@ class UserDetailAPIView(generics.RetrieveAPIView):
     serializer_class = UserSerializer
     lookup_field = 'id'
 
-
+@extend_schema(tags=['User'])
 class AdminPermissionsAPIView(generics.GenericAPIView):
     permission_classes = [IsAuthenticated]
     queryset = User.objects.all()