Class IsAdminUser has a misleading name as it only checks for "is_staff" which does not make the user an "admin"

class IsAdminUser(BasePermission):
"""
Allows access only to admin users.
"""

def has_permission(self, request, view):
    return bool(request.user and request.user.is_staff)