如何管理访问Django REST API的权限? [英] How are permissions to access to Django REST API managed?
问题描述
我正在构建一个公开一个REST API的Django应用程序,用户可以通过该API访问我的应用程序的模型。我遵循说明 此处 。
下面您可以看到我从命令行中点击了各种用户名/密码。
但是,它只适用于使用root用户和密码。为什么?我该怎么改呢?我没有指定此API仅适用于root用户。我想要它公开发布
%curl -H'Accept:application / json; indent = 4'-u root:myRootPassword http://127.0.0.1:3001/api/profiles/60/
{
id:60,
slug:my_user ,
user:http://127.0.0.1:3001/api/users/16/
}
%curl -H'Accept:application / JSON; indent = 4'http://127.0.0.1:3001/api/users/16/
{
detail:未提供验证凭据。
}
%curl -H'Accept:application / json; indent = 4'-u myUser:myPassword http://127.0.0.1:3001/api/profiles/60/
{
detail:您没有执行此操作的权限。
}
%curl -H'Accept:application / json; indent = 4'-u myUser:myPassword http://127.0.0.1:3001/api/profiles/60/
{
detail:无效的用户名/密码
}
在您的APIView中,或者您的ModelViewSet做
permission_classes = []
或
permission_classes = [rest_framework.permissions.AllowAny]
pre>
这将使其公开可用于任何一个。这是因为所有的modeviewets / viewsets /或APIView都来自APIView,它将权限类设置为
permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES
我猜你在这种情况下只是一个超级用户。
OK只是看了你所追踪的指南。如果您查看您的设置,请执行以下操作:
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES':('rest_framework.permissions.IsAdminUser' ),
'PAGINATE_BY':10
}
您设置默认权限课程只能是管理员。所以你可以做我之前建议的并覆盖默认权限,或者将IsAdminUser更改为
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES':('rest_framework.permissions.AllowAny',),
'PAGINATE_BY':10
}
祝你好运,django-rest-framework是惊人的。
I am building a Django application that exposes a REST API by which users can query my application's models. I'm following the instructions here.
Below you can see me hitting this API from the command line with various username/passwords. However, it only works If I use the root user and password. Why? How do I change that? I have not specified anywhere that this API is only available to the root user. I want it to be publicly available
% curl -H 'Accept: application/json; indent=4' -u root:myRootPassword http://127.0.0.1:3001/api/profiles/60/ { "id": 60, "slug": "my_user", "user": "http://127.0.0.1:3001/api/users/16/" } % curl -H 'Accept: application/json; indent=4' http://127.0.0.1:3001/api/users/16/ { "detail": "Authentication credentials were not provided." } % curl -H 'Accept: application/json; indent=4' -u myUser:myPassword http://127.0.0.1:3001/api/profiles/60/ { "detail": "You do not have permission to perform this action." } % curl -H 'Accept: application/json; indent=4' -u myUser:myPassword http://127.0.0.1:3001/api/profiles/60/ { "detail": "Invalid username/password" }
解决方案In your APIView, or your ModelViewSet do
permission_classes = []
or
permission_classes = [rest_framework.permissions.AllowAny]
This will make it publicaly available for any one. This is because all modeviewsets/viewsets/ or APIViews all inheirit from APIView which sets the permission classes to
permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES
Which I'm guessing in your case is only a superuser.
OK Just looked at the guide you're following. If you look at your settings
REST_FRAMEWORK = { 'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAdminUser',), 'PAGINATE_BY': 10 }
Your setting the default permission class to be only admins. So you can either do what I suggested earlier and override the default permissions, or change IsAdminUser to
REST_FRAMEWORK = { 'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.AllowAny',), 'PAGINATE_BY': 10 }
Good luck, django-rest-framework is amazing.
这篇关于如何管理访问Django REST API的权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!