API KEY isn't checked at all in Django 1.11 / Python 3.5

[marianobrc]

I've added it to installed apps:

OTHER_APPS = [ 'custom_user', 'rest_framework', 'rest_framework.authtoken', 'rest_framework_api_key', 'rest_framework_bulk', 'djoser', 'storages', # To store files in DO Spaces 'django_extensions', # To generate models graphs #'rest_framework_swagger', #'rest_framework_docs', ]

My middlewares are:

MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ]

DRF config

REST_FRAMEWORK = { 'DEFAULT_PERMISSION_CLASSES': ( # Global API Key to protect the API 'rest_framework_api_key.permissions.HasAPIAccess', ), 'DEFAULT_AUTHENTICATION_CLASSES': ( # Token authentication for users 'rest_framework.authentication.TokenAuthentication', ), }

I've generated the API KEY from the admin, but I can send any request without the header and it's accepted anyway. I've tried adding the header too:

Api-Key: de0db181c02016016d8ef37dd3f31491ceec0ef2

But i can set any key or remove the header and all the requests are accepted any time. Am i misssing something? Should I add any extra middleware?

Thanks

[flexpeace]

I think the documentation didn't cover that aspect. This is how to get it to work correctly

1. Import this from rest_framework_api_key.permissions import HasAPIAccess
2. Add permission_classes =( HasAPIAccess, ) to any of your API views