I am using IsAuthenticated permission by default and let's say I do not want to change the default permission. Is it possible to give permission of AllowAny to a specific URL?
urlpatterns = [
path('admin/', admin.site.urls),
path('api/', include('user.urls')),
path('api/section/', include('section.urls')),
path('docs/', include_docs_urls(title='Great Soft Uz')) # I want this url to be public
]
Thanks in Advance
include_docs_urls function has a parameter with a default value like this
permission_classes=api_settings.DEFAULT_PERMISSION_CLASSES
def include_docs_urls(
title=None, description=None, schema_url=None, urlconf=None,
public=True, patterns=None, generator_class=SchemaGenerator,
authentication_classes=api_settings.DEFAULT_AUTHENTICATION_CLASSES,
permission_classes=api_settings.DEFAULT_PERMISSION_CLASSES,
renderer_classes=None):
# this is the declaration of the function
the default behavior is to extend the value of DEFAULT_PERMISSION_CLASSES from you settings but you can override it like this
from rest_framework.permissions import AllowAny
urlpatterns = [
path('docs/', include_docs_urls(title='Great Soft Uz', permission_classes=[AllowAny, ], authentication_classes=[]))
]
Related
I am trying to implement permission checking mechanism in URLs for a request using wildcard techniques, rather than implement permission checking on each views.
Currently What I have is.
urlpatterns = [
path('admin/', include('admin_urls.py')),
...
]
and my admin_urls.py is as follows
urlpatterns = [
path('', ViewSpaceIndex.as_view(), name="admin_index"),
path('', EmployeeView.as_view(), name="employee"),
...
]
and views are as follows
#method_decorator(admin_required, name='dispatch')
class EmployeeView(TemplateView):
template_name = 'secret.html'
#method_decorator(admin_required, name='dispatch')
class EmployeeView(TemplateView):
template_name = 'secret.html'
What I want to achieve is without using the repeated #method_decorator(admin_required, name='dispatch') decorator in every view I want to apply the permission to a wild
card URLs '/admin/**' with admin_required permission like in Spring boot as follows.
http.authorizeRequests()
.antMatchers("/admin/**").has_permission("is_admin")
You can do this in your project root url like this:
from .my_custom_decorators import admin_required
urlpatterns = [
path('admin/', admin_required(include('admin_urls.py'))),
...
]
I don't know this will work or not but you can try.
login_required decorator directly taking url from settings.LOGIN_URL. In which how can i specify login url with parameter login_url. Is this possible to specify both login_url and TemplateView.as_view() in login_required decorator
urlpatterns = [
url(r'^$', login_required(TemplateView.as_view(template_name='foo_index.html'))
]
Use login_url argument in login_required function
urlpatterns = [
url(r'^$', login_required(
TemplateView.as_view(template_name='foo_index.html'),
login_url='/custom/login/url/'),
]
Yes you can. You can take a look at django source code and the implementation of login_required:
def login_required(function=None, redirect_field_name=REDIRECT_FIELD_NAME, login_url=None):
...
the first param is your view. And other 2 params you can input as it is. Like so:
urlpatterns = [
url(r'^$', login_required(TemplateView.as_view(template_name='foo_index.html'), login_url='/your_url/login')),
]
I am using Django rest auth for user account handling. For updating user info i have created custom endpoints, So i don't need the djnago-rest-auth generated endpoints /rest-auth/user/ (GET, PUT, PATCH). How can i remove these endpoints?
urls.py
urlpatterns = [
path('', include("rest_auth.urls"), name="user-auth"),
path('register', include('rest_auth.registration.urls'), name="user-auth-registration"),
path('<uid>/', views.UserProfileView.as_view(), name="user-profile"),
]
Edit
I want to use all other urls of rest-auth like login, register, etc. But i just dont want the /rest-auth/user/ as described here.
#bodoubleu 's answer didn't work, So i added them manually.
from rest_auth.views import (
LoginView, LogoutView, PasswordChangeView,
PasswordResetView, PasswordResetConfirmView
)
urlpatterns = [
path('register', include('rest_auth.registration.urls'), name="user-auth-registration"),
path('login', LoginView.as_view(), name="user-login"),
path('logout', LogoutView.as_view(), name='user-logout'),
path('password/change/', PasswordChangeView.as_view(), name='rest_password_change'),
path('password/reset', PasswordResetView.as_view(), name='rest_password_reset'),
path('password/reset/confirm/', PasswordResetConfirmView.as_view(), name='rest_password_reset_confirm'),
path('<uid>/', views.UserProfileView.as_view(), name="user-profile"),
]
Untested but this should work.
urlpatterns = [
path('user/', django.views.defaults.page_not_found),
path('', include("rest_auth.urls"), name="user-auth"),
path('register', include('rest_auth.registration.urls'), name="user-auth-registration"),
path('<uid>/', views.UserProfileView.as_view(), name="user-profile"),
]
If not you can manually define all the rest_auth.urls in your url patterns
I'm trying to use allauth and rest-auth in my project and try to use the built-in function in allauth to do email verification but this what I get :
and here is my code
settings.py
ACCOUNT_EMAIL_VERIFICATION = 'mandatory'
ACCOUNT_EMAIL_REQUIRED = True
urls.py
urlpatterns = [
re_path(r'^', include('rest_auth.urls')),
re_path(r'^registration/', include('rest_auth.registration.urls')),
]
I found the solution, that I have to add URL to be able to make a post request to the backend to send email then URL with regex which has the token that will verify the account and URLs and add URL for login with name account_login and URL for register with name account_signup and be like this :
from rest_auth.registration.views import VerifyEmailView, RegisterView
urlpatterns = [
path('', include('rest_auth.urls')),
path('login/', LoginView.as_view(), name='account_login'),
path('registration/', include('rest_auth.registration.urls')),
path('registration/', RegisterView.as_view(), name='account_signup'),
re_path(r'^account-confirm-email/', VerifyEmailView.as_view(),
name='account_email_verification_sent'),
re_path(r'^account-confirm-email/(?P<key>[-:\w]+)/$', VerifyEmailView.as_view(),
name='account_confirm_email'),
]
I had the same issue but I already had set up the URL for the email confirmation but I forgot about the name parameter it is mandatory
from django.conf.urls import url, include
from dj_rest_auth.registration.views import VerifyEmailView
urlpatterns = [
url('auth/', include('dj_rest_auth.urls')),
url('auth/registration/', include('dj_rest_auth.registration.urls')),
url('auth/account-confirm-email/', VerifyEmailView.as_view(), name='account_email_verification_sent'),
]
ยดยดยด
I wold like to personalize the api_root list based on the current user permissions, so that not all endpoints are visible to all level users.
Ex.:
router.register(r'users',views.UserViewSet, base_name='users')
router.register(r'groups', views.GroupViewSet, base_name='groups')
router.register(r'schedules', views.CallSchedulesViewSet, base_name='schedules')
urlpatterns = [
url(r'^', include(router.urls)),
...
]
For "superuser" the list should be:
users
groups
schedules
But for "normaluser" the list should only be:
schedules
The routes are registered during application starts. This does not happen on each call. So what you want may not be possible.
One things you can do is to return 404 error not found instead on 403 unauthorized error/access dened for the urls user don't have access. From user point of view that is as good as routes don't exist.
I have solved this using the following approach, maybe not the most elegant, but it serves as an example.
urls.py
router = routers.DefaultRouter()
router.register(r'users', views.UserViewSet, base_name='users')
router.register(r'groups', views.GroupViewSet, base_name='groups')
router.register(r'schedules', views.SchedulesViewSet, base_name='schedules')
urlpatterns = [
url(r'^$', views.APIRoot.as_view()),
url(r'', include(router.urls)),
...
]
views.py
from rest_framework.views import APIView
from rest_framework.response import Response
class APIRoot(APIView):
"""
API Root ...
"""
def get(self, request):
data = {
"users": "http://localhost:8000/users/",
"groups": "http://localhost:8000/groups/",
"schedules": "http://localhost:8000/schedules/",
}
if not request.user.is_superuser:
data.pop("users")
data.pop("groups")
return Response(data)