如何管理访问Django REST API的权限？ [英] How are permissions to access to Django REST API managed?

问题描述

我正在构建一个公开一个REST API的Django应用程序，用户可以通过该API访问我的应用程序的模型。我遵循说明 此处 。

下面您可以看到我从命令行中点击了各种用户名/密码。
但是，它只适用于使用root用户和密码。为什么？我该怎么改呢？我没有指定此API仅适用于root用户。我想要它公开发布

 ％curl -H'Accept：application / json; indent = 4'-u root：myRootPassword http://127.0.0.1:3001/api/profiles/60/ 
 {
id：60，
slug：my_user ，
user：http://127.0.0.1:3001/api/users/16/
} 
 
％curl -H'Accept：application / JSON; indent = 4'http://127.0.0.1:3001/api/users/16/ 
 {
detail：未提供验证凭据。 
} 
 
％curl -H'Accept：application / json; indent = 4'-u myUser：myPassword http://127.0.0.1:3001/api/profiles/60/ 
 {
detail：您没有执行此操作的权限。 
} 
 
％curl -H'Accept：application / json; indent = 4'-u myUser：myPassword http://127.0.0.1:3001/api/profiles/60/ 
 {
detail：无效的用户名/密码
} 
  

解决方案

在您的APIView中，或者您的ModelViewSet做

  permission_classes = [] 
  

或

  permission_classes = [rest_framework.permissions.AllowAny] 
  pre> 
 
 
这将使其公开可用于任何一个。这是因为所有的modeviewets / viewsets /或APIView都来自APIView，它将权限类设置为
  permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES 
  
我猜你在这种情况下只是一个超级用户。 
 
 
 
 OK只是看了你所追踪的指南。如果您查看您的设置，请执行以下操作：
  REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES'：（'rest_framework.permissions.IsAdminUser' ），
'PAGINATE_BY'：10 
} 
  
您设置默认权限课程只能是管理员。所以你可以做我之前建议的并覆盖默认权限，或者将IsAdminUser更改为
  REST_FRAMEWORK = {
 'DEFAULT_PERMISSION_CLASSES'：（'rest_framework.permissions.AllowAny'，），
'PAGINATE_BY'：10 
} 
  
祝你好运，django-rest-framework是惊人的。 
 
I am building a Django application that exposes a REST API by which users can query my application's models. I'm following the instructions here.

Below you can see me hitting this API from the command line with various username/passwords.
However, it only works If I use the root user and password. Why? How do I change that? I have not specified anywhere that this API is only available to the root user. I want it to be publicly available
% curl -H 'Accept: application/json; indent=4' -u root:myRootPassword http://127.0.0.1:3001/api/profiles/60/
{
    "id": 60,
    "slug": "my_user",
    "user": "http://127.0.0.1:3001/api/users/16/"
}

% curl -H 'Accept: application/json; indent=4' http://127.0.0.1:3001/api/users/16/
{
    "detail": "Authentication credentials were not provided."
}

% curl -H 'Accept: application/json; indent=4'  -u myUser:myPassword http://127.0.0.1:3001/api/profiles/60/
{
    "detail": "You do not have permission to perform this action."
}

% curl -H 'Accept: application/json; indent=4'   -u myUser:myPassword http://127.0.0.1:3001/api/profiles/60/
{
    "detail": "Invalid username/password"
}

解决方案
In your APIView, or your ModelViewSet do
permission_classes = []
or
permission_classes = [rest_framework.permissions.AllowAny]
This will make it publicaly available for any one. This is because all modeviewsets/viewsets/ or APIViews all inheirit from APIView which sets the permission classes to 
permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES
Which I'm guessing in your case is only a superuser. 

OK Just looked at the guide you're following. If you look at your settings 
REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAdminUser',),
    'PAGINATE_BY': 10
}
Your setting the default permission class to be only admins.  So you can either do what I suggested earlier and override the default permissions, or change IsAdminUser to 
REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.AllowAny',),
    'PAGINATE_BY': 10
}
Good luck, django-rest-framework is amazing. 

                        
这篇关于如何管理访问Django REST API的权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！