{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 看我几分像从前 的问题《How to disable admin-style browsable interface of》','https://www.manongdao.com/q-178216.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using django-rest-framework. It provides an awesome Django admin style browsable self-documenting API. But anyone can visit those pages and use the interface to add data (POST). How can I disable it?
相关问题
- Django __str__ returned non-string (type NoneType)
- Django & Amazon SES SMTP. Cannot send email
- Django check user group permissions
- Django restrict pages to certain users
- UnicodeEncodeError with attach_file on EmailMessag
相关文章
- Profiling Django with PyCharm
- Why doesn't Django enforce my unique_together
- MultiValueDictKeyError in Django admin
- Django/Heroku: FATAL: too many connections for rol
- Serialise choice text for IntegerField with choice
- Django is sooo slow? errno 32 broken pipe? dcramer
- Django: Replacement for the default ManyToMany Wid
- Upgrading transaction.commit_manually() to Django
You just need to remove the browsable API renderer from your list of supported renderers for the view.
You can do this globally like so:
Or on a per-view basis like so:
Aside: In many cases I think it's a shame that folks would choose to disable the browsable API in any case, as it's a big aid to any developers working on the API, and it doesn't give them more permissions that they would otherwise have. I can see that there might be business reasons for doing so in some cases, but generally I'd consider it a huge asset.
Remove the
'rest_framework.renderers.BrowsableAPIRenderer',from the'DEFAULT_RENDERER_CLASSES'in your settingsWhile the accepted answer to this question does answer the question as it was worded, I feel that it does not solve the actual issue at hand.
For completeness in this answer, disabling the browseable HTML api is done by removing it from the renderer classes like so:
However, the actual issue the question alludes to is people being able to post to the API without authentication. While removing the form makes it less obvious, this answer does not protect the API endpoints.
At minimum, someone finds this question and is looking to protect the API from unauthenticated, or unauthorised POST submissions; the are looking to change the API Permissions
The following will set all endpoints to be read only unless the user is authenticated.
If you would like to completely hide the API unless the user is logged in, you could also use
IsAuthenticated.FYI: This will also remove the form from the HTML browseable API as it responds to permissions. When an authenticated user logs in, the form will be available again.
Bonus Round:
Only enable the browseable HTML API in dev:
Just Add this to your Settings.py should disable the Browsable API!