Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to restrict Django Rest Framework browsable API interface to admin users

I'm developing a Django Rest Framework backend for a mobile app. The API is private and will only ever be used internally.

The browsable API is convenient for helping developers working on the project but I would like to prevent anyone who's not set as an admin on the project from using the browsable interface.

I realize that the browsable admin doesn't grant any permissions that user wouldn't otherwise have, but it does have some security gray areas (e.g. for models with a foreign key relationship, the HTML selector field gets populated with all the possible related objects in the DB unless you specifically instruct it not to).

Because this app handles sensitive user data, I'd prefer to expose the smallest surface area possible to the public to reduce the risk of my own potential mistakes oversights.

Is there any way to disable the browsable API for non-admin users without disabling it for everyone? I've done a fair amount of Google searching and looked on SO and haven't found an answer. This question is close How to disable admin-style browsable interface of django-rest-framework? but not the same because those instructions disable the interface for everyone.

like image 446
rogueleaderr Avatar asked Jul 19 '15 23:07

rogueleaderr


People also ask

What is browsable API in Django REST framework?

The browsable API feature in the Django REST framework generates HTML output for different resources. It facilitates interaction with RESTful web service through any web browser. To enable this feature, we should specify text/html for the Content-Type key in the request header.

How do I add login to the browsable API provided by DRF?

Adding login to the Browsable API In order to do so we'd need to be able to login as a user. We can add a login view for use with the browsable API, by editing the URLconf in our project-level urls.py file. And, at the end of the file, add a pattern to include the login and logout views for the browsable API.


2 Answers

Is `DEFAULT_PERMISSION_CLASSES' setting not enough? This sets a default restriction on all views DRF docs on default permission classes

In settings.py:

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAdminUser',
    ]
}

They will 'reach' the browsable interface but all types of requests will be denied if not authorized.

If for some reason various end-points needed to be reached by non-admin users, you could loosen the restriction on a view-by-view basis.

like image 50
rkengler Avatar answered Sep 19 '22 09:09

rkengler


Assuming you're using DRF's built in views, I think you can just override get_renderers().

In your settings file:

REST_FRAMEWORK = {
    # Only enable JSON renderer by default.
    'DEFAULT_RENDERER_CLASSES': [
        'rest_framework.renderers.JSONRenderer',
    ],
}

And then in your views.py:

from rest_framework import generics, renderers

class StaffBrowsableMixin(object):
    def get_renderers(self):
        """
        Add Browsable API renderer if user is staff.
        """
        rends = self.renderer_classes
        if self.request.user and self.request.user.is_staff:
            rends.append(renderers.BrowsableAPIRenderer)
        return [renderer() for renderer in rends]

class CustomListApiView(StaffBrowsableMixin, generics.ListAPIView):
    """
    List view.
    """
    # normal stuff here
like image 28
getup8 Avatar answered Sep 19 '22 09:09

getup8