Reputation: 1284
Restricting Django-Rest-Framework default CRUD operations to only GET and restricting POST, PUT and DELETE
I am using Django-Rest-Framework. While following along the tutorial I was able to make CRUD APIs by defining a ModelResource. Now, I want to limit access by providing APIs for just GET and not provide access for POST, PUT or DELETE. I tried
allowed_methods = ('GET')
But that doesn't do anything. Also, I tried to override the delete function of ModelResource but it doesn't do anything either and delete still works.
Seems to be straight forward thing, but I havent been able to figure it out even after spending a couple of hours on it.
Upvotes: 1
Views: 1691
Answers (3)
Reputation: 6840
Maybe you are using something like this:
resources.py
from djangorestframework.resources import ModelResource
from .models import Menu
class MenuResource(ModelResource):
model = MenuOfTheDay
allowed_methods = ('GET', )
urls.py
from djangorestframework.views import ListOrCreateModelView, InstanceModelView
from .resources import MenuResource
urlpatterns += patterns('',
url(r'^api/menu/$', ListOrCreateModelView.as_view(resource=MenuResource), name='menu-resource-root'),
url(r'^api/menu/(?P<pk>[0-9]+)/$', InstanceModelView.as_view(resource=MenuResource)),
)
allowed_methods won't be useful if is in a Resource subclass, it should be in a View subclass like in ListModelView class, so if you change your urls.py with this:
from djangorestframework.views import ListModelView, InstanceModelView
from .resources import MenuResource
urlpatterns += patterns('',
url(r'^api/menu/$', ListModelView.as_view(resource=MenuResource), name='menu-resource-root'),
url(r'^api/menu/(?P<pk>[0-9]+)/$', InstanceModelView.as_view(resource=MenuResource)),
)
it will work fine :)
Upvotes: 1
Reputation: 2323
You need to do something like this:
from djangorestframework.mixins import ReadModelMixin, UpdateModelMixin
from djangorestframework.views import ModelView
from djangorestframework.response import Response
from resources import MyResource
class MyResourceInstanceView(ReadModelMixin, ModelView):
resource = MyResource
Basicaly this is replacing the use of InstanceModelView, which implements also the Put, Update and Delete mixins.
Upvotes: 1
Reputation: 3057
Just saw this. You have a small error in your code. Instead of:
allowed_methods = ('GET')
Write
allowed_methods = ('GET',)
Note the trailing comma, this is to make python treat it as a list with one string instead of a list with three characters. Due to the fact that python treats a string as a list of characters, the first row evaluates to the list ('G','E','T') and none of those methods are available on your class.
Upvotes: 3
Related Questions
- How to customize DjangoModelPermissions to deny GET, HEAD and OPTIONS requests
- Django REST framework restrict posting and browsable Api-fields
- django-rest-framework limit the allowed_methods to GET
- How to control allowed methods in Django Rest Framework?
- How to restrict fields when creating post request in DRF?
- django rest framework - allow only certain methods
- Allow only update in Django rest api framework
- How to support all REST operations for an endpoint in django rest framework
- Allow permission for get method for all users and allow post method for super user only in django rest api
- Django REST framework: restricting user access for objects