1. 首页
  2. 问答
  3. 如何禁用Django的注册授权?

如何禁用Django的注册授权?

2017-06-02 85 views
1

我使用验证本:如何禁用Django的注册授权?

from rest_framework.authtoken import views as rest_auth_views 

url(r'^login/', rest_auth_views.obtain_auth_token)

一切工作正常,但为了创造新的帐户我在头什么是错的发送令牌。我使用这种视图创建新帐户:

@api_view(['GET', 'POST']) 
def UserList(request): 
    """ 
    List all snippets, or create a new snippet. 
    """ 
    if request.method == 'GET': 
     users = User.objects.all() 
     serializer = UserSerializer(users, many=True) 
     return Response(serializer.data) 

    elif request.method == 'POST': 
     serializer = UserSerializer(data=request.data) 
     if serializer.is_valid(): 
      serializer.save() 
      return Response(serializer.data, status=status.HTTP_201_CREATED) 
     return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

如何禁用用户注册验证?也许我的方法或想法是错误的? SOLUTION:

from rest_framework import permissions 

class CustomPermission(permissions.BasePermission): 

    def has_permission(self, request, view): 
     if request.method =='POST' or (request.user and request.user.is_authenticated() and request.user.is_superuser): 
      return True 
     return False 

@api_view(['GET', 'POST']) 
@permission_classes([CustomPermission]) 
def UserList(request): 
    """ 
    List all snippets, or create a new snippet. 
    """ 
    if request.method == 'GET': 
     users = User.objects.all() 
     serializer = UserSerializer(users, many=True) 
     return Response(serializer.data) 

    elif request.method == 'POST': 
     serializer = UserSerializer(data=request.data) 
     if serializer.is_valid(): 
      serializer.save() 
      return Response(serializer.data, status=status.HTTP_201_CREATED) 
     return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

来源

2017-06-02 wahtdbogh

+0

您能从一开始就展示您的整个视野​​吗?即从'def'行 –

+0

@AndreTerra我已更新我的帖子。 – wahtdbogh

回答

1

你可以导入AllowAny权限和类添加到视图,

from rest_framework.permissions import AllowAny 
from rest_framework.decorators import permisson_classes 

@api_view(['GET', 'POST']) 
@permission_classes([AllowAny]) 
def UserList(request): 
    """ 
    List all snippets, or create a new snippet. 
    """ 
    if request.method == 'GET': 
     users = User.objects.all() 
     serializer = UserSerializer(users, many=True) 
     return Response(serializer.data)

或者使用基于类的意见,

from rest_framwork.views import APIView 

class UserListView(APIView): 
    permission_classes = (AllowAny,) 

    def get(self, request, *args, **kwargs): 
     users = User.objects.all() 
     serializer = UserSerializer(users, many=True) 
     return Response(serializer.data) 

    def post(self, request, *args, **kwargs): 
     serializer = UserSerializer(data=request.data) 
     if serializer.is_valid(): 
      serializer.save() 
      return Response(serializer.data, status=status.HTTP_201_CREATED) 
     return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

由于@Andre兵马俑提到上述方法可能会危及一些行为,因为任何人都可以检索到t他使用GET请求的用户列表。

为了克服这个问题,我建议为视图编写自定义权限。它会是这样的,

class CustomPermission(BasePermission): 

    def has_permission(self, request, view): 
     if request.method =='POST' or (request.user and request.user.is_authenticated() and request.user.is_superuser): 
      return True 
     return False

现在,只有一个超级用户可以获得用户列表。

来源

2017-06-03 05:06:32 zaidfazil

+1

它的工作原理,再次感谢你。 – wahtdbogh

+1

感谢支持,兄弟! – zaidfazil

+0

@Wahtdbogh这些将允许未经过身份验证的用户使用GET列出每个用户,这可能会超出您允许此用户创建其帐户的初衷。我个人将UserList从UserCreate中分离出来,因为它们涉及不同的事情(每个用户与一个用户) –

相关问题

 相关问题