How to restrict Django Rest Framework browsable API interface to admin users

前端 未结 3 651
执笔经年
执笔经年 2021-02-07 08:36

I\'m developing a Django Rest Framework backend for a mobile app. The API is private and will only ever be used internally.

The browsable API is convenient for helping d

相关标签:
3条回答
  • 2021-02-07 08:52

    In rest_framework views we have a attribute called renderes_classes Usually we have a method get_<something> as we do with queryset/get_queryset but in this case we didn't have that, so i needed to implement a property.

    from tasks.models import Task
    from tasks.serializers import TaskSerializer
    
    from rest_framework.generics import ListAPIView
    from rest_framework.permissions import IsAuthenticatedOrReadOnly
    from rest_framework.renderers import CoreJSONRenderer
    
    
    class CustomRendererView:
        permission_classes = (IsAuthenticatedOrReadOnly,)
    
        @property
        def renderer_classes(self):
            renderers = super(ListTask, self).renderer_classes
    
            if not self.request.user.is_staff:
                renderers = [CoreJSONRenderer]
    
            return renderers
    
    
    class ListTask(CustomRendererView, ListAPIView):
        queryset = Task.objects.all()
        serializer_class = FullTaskSerializer
    
    0 讨论(0)
  • 2021-02-07 08:54

    Is `DEFAULT_PERMISSION_CLASSES' setting not enough? This sets a default restriction on all views DRF docs on default permission classes

    In settings.py:

    REST_FRAMEWORK = {
        'DEFAULT_PERMISSION_CLASSES': [
            'rest_framework.permissions.IsAdminUser',
        ]
    }
    

    They will 'reach' the browsable interface but all types of requests will be denied if not authorized.

    If for some reason various end-points needed to be reached by non-admin users, you could loosen the restriction on a view-by-view basis.

    0 讨论(0)
  • 2021-02-07 09:10

    Assuming you're using DRF's built in views, I think you can just override get_renderers().

    In your settings file:

    REST_FRAMEWORK = {
        # Only enable JSON renderer by default.
        'DEFAULT_RENDERER_CLASSES': [
            'rest_framework.renderers.JSONRenderer',
        ],
    }
    

    And then in your views.py:

    from rest_framework import generics, renderers
    
    class StaffBrowsableMixin(object):
        def get_renderers(self):
            """
            Add Browsable API renderer if user is staff.
            """
            rends = self.renderer_classes
            if self.request.user and self.request.user.is_staff:
                rends.append(renderers.BrowsableAPIRenderer)
            return [renderer() for renderer in rends]
    
    class CustomListApiView(StaffBrowsableMixin, generics.ListAPIView):
        """
        List view.
        """
        # normal stuff here
    
    0 讨论(0)
提交回复
热议问题