update

core/apps/accounts/permissions.py

@@ -0,0 +1,15 @@
+from rest_framework.exceptions import PermissionDenied
+from rest_framework.permissions import BasePermission
+
+from core.apps.accounts.choices import RoleChoice
+
+
+class IsAdminRole(BasePermission):
+    def has_permission(self, request, view):
+        if not request.user.is_authenticated:
+            return False
+
+        if request.user.role != RoleChoice.ADMIN:
+            raise PermissionDenied("Only admin can access this")
+
+        return True

core/apps/accounts/urls.py

@@ -27,7 +27,7 @@ urlpatterns = [
     path("", include(router.urls)),
     path("auth/token/", jwt_views.TokenObtainPairView.as_view(), name="token_obtain_pair"),
     path("auth/token/verify/", jwt_views.TokenVerifyView.as_view(), name="token_verify"),
-    path("auth/token/refresh/",jwt_views.TokenRefreshView.as_view()),
+    path("auth/token/refresh/", jwt_views.TokenRefreshView.as_view()),
     path("user/list/", UserListApiView.as_view(), name="user-list"),
     path("admin-user/list/", AdminUserListApiView.as_view(), name="admin-user-list"),
     path("admin/create/", AdminCreateAPIView.as_view(), name="user-create"),

core/apps/accounts/views/user.py

@@ -106,6 +106,7 @@ class UserDetailAPIView(generics.RetrieveAPIView):
 
 class AdminPermissionsAPIView(generics.GenericAPIView):
     permission_classes = [IsAuthenticated]
+    queryset = User.objects.all()
 
     def get(self, request):
         if request.user.role.name != RoleChoice.ADMIN: