Now, we can launch Django's development server to compose and send authenticated HTTP requests to understand how the configured authentication classes, combined with the permission policies, work. Execute any of the following two commands based on your needs to access the API in other devices or computers connected to your LAN. Remember that we analyzed the difference between them in Chapter 3, Creating API Views, in the Launching Django's development server section:

    python manage.py runserver
    python manage.py runserver 0.0.0.0:8000

After we run any of the previous commands, the development server will start listening at port 8000.

We will compose and send an HTTP POST request without authentication credentials to try to create a new drone:

http POST :8000/drones/ name="Python Drone" drone_category="Quadcopter" manufacturing_date="2017-07-16T02:03:00.716312Z" has_it_competed=false

The following is the equivalent curl command:

    curl -iX POST -H "Content-Type: application/json" -d   
   '{"name":"Python Drone", "drone_category":"Quadcopter", 
    "manufacturing_date": "2017-07-16T02:03:00.716312Z",  
    "has_it_competed": "false"}' localhost:8000/drones/

We will receive an HTTP 401 Unauthorized status code in the response header and a detail message indicating that we didn't provide authentication credentials in the JSON body. The following lines show a sample response:

HTTP/1.0 401 Unauthorized
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 58
Content-Type: application/json
Date: Tue, 19 Dec 2017 19:52:44 GMT
Server: WSGIServer/0.2 CPython/3.6.2
Vary: Accept, Cookie
WWW-Authenticate: Basic realm="api"
X-Frame-Options: SAMEORIGIN

{
    "detail": "Authentication credentials were not provided."
}

After the changes we made, if we want to create a new drone, that is, to make an HTTP POST request to /drones/, we need to provide authentication credentials by using HTTP authentication. Now, we will compose and send an HTTP request to create a new drone with authentication credentials, that is, with the superuser name and his password. Remember to replace djangosuper with the name you used for the superuser and passwordforsuper with the password you configured for this user:

http -a "djangosuper":"passwordforsuper" POST :8000/drones/ name="Python Drone" drone_category="Quadcopter" manufacturing_date="2017-07-16T02:03:00.716312Z" has_it_competed=false

The following is the equivalent curl command:

    curl --user "djangosuper":"passwordforsuper" -iX POST -H "Content-
    Type: application/json" -d '{"name":"Python Drone", 
    "drone_category":"Quadcopter", "manufacturing_date": "2017-07-
     16T02:03:00.716312Z", "has_it_competed": "false"}' 
     localhost:8000/drones/

The new Drone with the superuser named djangosuper as its owner has been successfully created and persisted in the database because the request was authenticated. As a result of the request, we will receive an HTTP 201 Created status code in the response header and the recently persisted Drone serialized to JSON in the response body. The following lines show an example response for the HTTP request, with the new Drone object in the JSON response body. Notice that the JSON response body includes the owner key and the username that created the drone as its value: djangosuper:

HTTP/1.0 201 Created
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 219
Content-Type: application/json
Date: Fri, 10 Nov 2017 02:55:07 GMT
Location: http://localhost:8000/drones/12
Server: WSGIServer/0.2 CPython/3.6.2
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN

{
    "drone_category": "Quadcopter",
    "has_it_competed": false,
    "inserted_timestamp": "2017-11-10T02:55:07.361574Z",
    "manufacturing_date": "2017-07-16T02:03:00.716312Z",
    "name": "Python Drone",
    "owner": "djangosuper",
    "url": "http://localhost:8000/drones/12"
}

Now, we will try to update the has_it_competed field value for the previously created drone with an HTTP PATCH request. However, we will use the other user we created in Django to authenticate this HTTP PATCH request. This user isn't the owner of the drone, and therefore, the request shouldn't succeed.

Replace user01 and user01password in the next command with the name and password you configured for this user. In addition, replace 12 with the ID generated for the previously created drone in your configuration:

http -a "user01":"user01password" PATCH :8000/drones/12 has_it_competed=true

The following is the equivalent curl command:

curl --user "user01":"user01password" -iX PATCH -H "Content-Type: application/json" -d '{"has_it_competed": "true"}' localhost:8000/drones/12

We will receive an HTTP 403 Forbidden status code in the response header and a detail message indicating that we do not have permission to perform the action in the JSON body. The owner for the drone we want to update is djangosuper and the authentication credentials for this request use a different user: user01. Hence, the operation is rejected by the has_object_permission method in the IsCurrentUserOwnerOrReadOnly customized permission class we created. The following lines show a sample response:

    HTTP/1.0 403 Forbidden
    Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
    Content-Length: 63
    Content-Type: application/json
    Date: Fri, 10 Nov 2017 03:34:43 GMT
    Server: WSGIServer/0.2 CPython/3.6.2
    Vary: Accept, Cookie
    X-Frame-Options: SAMEORIGIN
    
    {
        "detail": "You do not have permission to perform this action."
    }
  

The user that isn't the drone's owner cannot make changes to the drone. However, he must be able to have read-only access to the drone. Hence, we must be able to compose and retrieve the previous drone details with an HTTP GET request with the same authentication credentials. It will work because GET is one of the safe methods and a user that is not the owner is allowed to read the resource. Replace user01 and user01password in the next command with the name and password you configured for this user. In addition, replace 12 with the ID generated for the previously created drone in your configuration:

    http -a "user01":"user01password" GET :8000/drones/12

The following is the equivalent curl command:

    curl --user "user01":"user01password" -iX GET 
    localhost:8000/drones/12

The response will return an HTTP 200 OK status code in the header and the requested Drone serialized to JSON in the response body.