发表新帖
发表新帖

How to restrict Django Rest Framework browsable API interface to admin users

前端 未结
关注
3 646
执笔经年
执笔经年 2021-02-07 08:36

I\'m developing a Django Rest Framework backend for a mobile app. The API is private and will only ever be used internally.

The browsable API is convenient for helping d

相关标签:
3条回答
  • 猫巷女王i
    2021-02-07 08:52

    In rest_framework views we have a attribute called renderes_classes Usually we have a method get_<something> as we do with queryset/get_queryset but in this case we didn't have that, so i needed to implement a property.

    from tasks.models import Task
from tasks.serializers import TaskSerializer

from rest_framework.generics import ListAPIView
from rest_framework.permissions import IsAuthenticatedOrReadOnly
from rest_framework.renderers import CoreJSONRenderer


class CustomRendererView:
    permission_classes = (IsAuthenticatedOrReadOnly,)

    @property
    def renderer_classes(self):
        renderers = super(ListTask, self).renderer_classes

        if not self.request.user.is_staff:
            renderers = [CoreJSONRenderer]

        return renderers


class ListTask(CustomRendererView, ListAPIView):
    queryset = Task.objects.all()
    serializer_class = FullTaskSerializer
    0 讨论(0)
  • 梦毁少年i
    2021-02-07 08:54

    Is `DEFAULT_PERMISSION_CLASSES' setting not enough? This sets a default restriction on all views DRF docs on default permission classes

    In settings.py:

    REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAdminUser',
    ]
}

    They will 'reach' the browsable interface but all types of requests will be denied if not authorized.

    If for some reason various end-points needed to be reached by non-admin users, you could loosen the restriction on a view-by-view basis.

    0 讨论(0)
  • 梦谈多话
    2021-02-07 09:10

    Assuming you're using DRF's built in views, I think you can just override get_renderers().

    In your settings file:

    REST_FRAMEWORK = {
    # Only enable JSON renderer by default.
    'DEFAULT_RENDERER_CLASSES': [
        'rest_framework.renderers.JSONRenderer',
    ],
}

    And then in your views.py:

    from rest_framework import generics, renderers

class StaffBrowsableMixin(object):
    def get_renderers(self):
        """
        Add Browsable API renderer if user is staff.
        """
        rends = self.renderer_classes
        if self.request.user and self.request.user.is_staff:
            rends.append(renderers.BrowsableAPIRenderer)
        return [renderer() for renderer in rends]

class CustomListApiView(StaffBrowsableMixin, generics.ListAPIView):
    """
    List view.
    """
    # normal stuff here
    0 讨论(0)
 看不清?
提交回复
热议问题