根据
在常规APIView上,您通过属性permission_classes设置了权限:
from rest_framework.permissions import IsAdminUser
from rest_framework.response import Response
from rest_framework.views import APIView
class ExampleView(APIView):
permission_classes = [IsAdminUser]
def get(self, request, format=None):
content = {
'status': 'request was permitted'
}
return Response(content)
我想将对APIRoot视图(可浏览的API)的访问权限限制为仅管理员用户。我尝试通过
from rest_framework.permissions import IsAdminUser
from rest_framework.views import APIView
class APIRootView(APIView):
permission_classes = [IsAdminUser]
没有成功:|普通用户(is_staff=false)仍可以导航到可浏览的API ...
一些建议使其生效?
is_staff=false)不应访问可浏览的API。我的理解是APIRootView是DefaultRouter的默认基本根视图(必须用于可浏览的API)-> https://github.com/encode/django-rest-framework/blob/master/rest_framework/routers.py#L291
# settings.py
...
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': ['rest_framework.authentication.SessionAuthentication'],
'DEFAULT_PERMISSION_CLASSES': ['rest_framework.permissions.IsAuthenticated'],
}
...
一种方法是使用DRF的渲染器设置和方法。
在您的settings.py中:
REST_FRAMEWORK = {
# Only enable JSON renderer by default.
'DEFAULT_RENDERER_CLASSES': [
'rest_framework.renderers.JSONRenderer',
],
}
以及您的views.py:
from rest_framework import generics, renderers
class StaffBrowsableMixin(object):
def get_renderers(self):
"""
Add Browsable API renderer if user is staff.
"""
rends = self.renderer_classes
if self.request.user and self.request.user.is_staff:
rends.append(renderers.BrowsableAPIRenderer)
return [renderer() for renderer in rends]
class CustomListApiView(StaffBrowsableMixin, generics.ListAPIView):
"""
List view.
"""
# normal stuff here
基本上,对于要为职员启用BrowsableAPI的任何StaffBrowsableMixin,请使用APIView。>
类似的问题,正如上面评论中的链接,我的回答也是如此:https://stackoverflow.com/a/58762483/4599228