How can I disable authentication for GET method in django modelviewset? - django-rest-framework

I have written one router url and modelviewset like below:
**router.register(r'TestViewSet', views.TestViewSet)
**class TestViewSet(viewsets.ModelViewSet): queryset = Test.objects.all() serializer_class = TestSerializer
for this class, I want to disable authentication for GET method.
Pls give some solution

Well to disable authentication only on the GET method of the ModelViewSet, we are required to override the permission class based on the HTTP method.
To achieve this, try following
from rest_framework import permissions
...
class TestViewSet(viewsets.ModelViewSet):
...
def get_permissions(self):
"""Returns the permission based on the type of action"""
if self.action == "list":
return [permissions.AllowAny()]
return [permissions.IsAuthenticated()]
In the above code, we are checking of the action (assuming you want to allow anyone to see the list, and limit who can perform other actions).
So if the action is list (HTTP method GET) it will allow anyone to access otherwise it will check for authentication.
Hope this answers your question.

Related

How to use django groups and perms in django-rest-framework

How to handle complex required permissions in any API using django-rest-framework?
For example, you have three tier support operators who have access to APIs, but they should only have access to respective endpoint and as the last tier, superadmin should have everything in hands.
How to solve this simple problem by django group and permissions?
There are lots of answers being related to AND or OR the perms in permission_classes like
def get_permissions(self):
return (
IsAuthenticated & (IsCommitteeHead|IsCommitteeMember|IsAdminUser)
)()
or
permission_classes = [IsAuthenticated &(IsCommitteeHead|IsCommitteeMember|IsAdminUser)]
but I think hard coding always makes the code a complete mess!
Create new permission model permission from django base model permission like this:
from rest_framework.permissions import DjangoModelPermissions
class FullDjangoModelPermissions(DjangoModelPermissions):
perms_map = {
'GET': ['%(app_label)s.view_%(model_name)s'],
'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
'HEAD': ['%(app_label)s.view_%(model_name)s'],
'POST': ['%(app_label)s.add_%(model_name)s'],
'PUT': ['%(app_label)s.change_%(model_name)s'],
'PATCH': ['%(app_label)s.change_%(model_name)s'],
'DELETE': ['%(app_label)s.delete_%(model_name)s'],
}
And in view class like this:
class SomeAwuful(GenericAPIView):
...
permission_classes = [FullDjangoModelPermissions]
...
Then you can go in Django admin dashboard and set who has access to what, or creating group to access features, like this:

Django rest framework XLSX renderer + Apiview

I'm setting up an endpoint on my API which should return a XLSX-file. The DRF-docs mention https://github.com/wharton/drf-renderer-xlsx as the main external rendering package, aside from the pandas which also seem to be able to render XLSX.
In their code example they use a ReadOnlyViewset paired with a mixin, but there is no mention of how it's used with APIViews. Still, I would like to use an APIView as shown by this https://harshahegde.dev/rendering-xlsx-files-in-django-rest-framework-ckagk293p00eumks1bf4dlhie
However..
This works great when using CURL or Postman, but when done through a browser I get this error:
'Request' object has no attribute 'accepted_renderer'
From what I understand this is because there is no Accept header set (e.g 'Accept':'application/xlsx')
I fixed this by removing the Mixin from the renderer_classes, so it simply returns a file called "xlsx" but I can't figure out how to set the filename without the mixin. How do I set the filename using an APIView trying to access the URL from a browser?
My view:
class SomedataXlsx(APIView):
renderer_classes = [XLSXRenderer, JSONRenderer]
def get(self, request):
queryset = Somedata.objects.all()
serializer = SomeDataSerializer(queryset, many=True)
return Response(serializer.data)
Looking at the mixin code it became clear they change the content-disposition header, and so since the DRF Response() takes a header argument I tried changing it, and it worked perfectly.
class SomedataXlsx(APIView):
renderer_classes = [XLSXRenderer, JSONRenderer]
def get(self, request):
user_sub_fund_data = Somedata.objects.all()
serializer = SomeDataSerializer(queryset, many=True)
return Response(serializer.data, headers={"content-disposition":"attachment; filename=mynewfilename.xlsx"})

Parameters URL with DRF routers

I'm using Django Rest Framework for created a API. In this project i want to capture parameters in the URL. For example i want to capture the username and password of a user and my idea is like this:
http://localhost:8000/accounts/login/?unsername=username&password=password
But i cant, I' usin routers and django-filter, but i cant get the parameters url. My project files are there:
view.py:
class AccountsData(viewsets.ModelViewSet):
queryset = models.UserData.objects.all()
serializer_class = serializers.AccountsDataSerializer
permission_classes = (IsAuthenticated,)
filter_backends = (filters.DjangoFilterBackend,)
filterset_fields = ['username', 'password']
lookup_url_kwarg = 'username'
#action(methods=['get'], detail=True, url_name='login', url_path='login')
def login(self, request, pk=None):
return Response({"Login successfully"}, 200)
urls.py:
from api import views
router = routers.SimpleRouter()
router.register(r'accounts', views.AccountsData)
Request query parameters have nothing to do with routing, they are passed with the request independently of how you configure the route. You have access to them in request.query_params, for example, request.query_params.get('username') would get the value of the username parameter.
Being said that, your idea has a terrible mistake: password or any kind of confidential data should NEVER go in query parameters, you should use an http verb that carries the data in its body (POST, for example).

drf custom response to override Response()

I'm using DRF and to return response, I used Response() which located at from rest_framework.response import Response
To make custom response, first, I copied all of the source to custom file.
And in my views, I changed Response() to my own file.
But when I running django server and access via web, it through errors.
AssertionError: .accepted_renderer not set on Response
I just copied original Repsonse() and re-use it.
Why it occur errors?
Purpose of custom response is I want to add more argument that something likes cursor for pagination.
As you know that in original Response, takes 6 arguments.
def __init__(self, data=None, status=None,
template_name=None, headers=None,
exception=False, content_type=None):
And return it in def rendered_content(self), line of ret = renderer.render(self.data, accepted_media_type, context)
So my scenario is, add cursor to __init__ and pass through it to renderer.render().
Any problem with my way?
Thanks.

"Method \"POST\" not allowed." Django REST

I am new to django rest framework. I have an api to get corresponding token for each user. The method defined to access token is
class ObtainAuthToken(APIView):
def post(self, request):
user = authenticate(
username=request.data['username'], password=request.data['password'])
if user:
token, created = Token.objects.get_or_create(user=user)
return Response({'token': token.key, 'user': UserSerializer(user).data})
return Response('Invalid username or password', status=status.HTTP_400_BAD_REQUEST)
and in urls.py i have
url(r'^login/$',ObtainAuthToken, name='login')
But while logging in a user, i am getting the response as
{
"detail": "Method \"POST\" not allowed."
}
Where did i went wrong?
First of all - I see that you used the django-rest-auth tag. Are you actually using rest auth? If not - you should definitely consider doing it as it provides a ton of auth functionality out of the box.
As to your question, you forgot to call as_view() on ObtainAuthToken in your url conf. Change it like so and tell me if it works:
url(r'^login/$', ObtainAuthToken.as_view(), name='login')
You have the wrong indentation in your code. The post method needs to be inside the ObtainAuthToken(APIView) class. Right now is defined as a standalone function.

Resources