We've all been taught about RESTful API design. It does not take much to realize that these endpoints
POST /products/1/delete
POST /products/1...
For further actions, you may consider blocking this person and/or reporting abuse
Thanks! Nice post and nice idea. Unfortunately the issues are starting when you're starting to add some security or permissions.
For example you need to make
GET
method public and protect others. If you add permissions to the classes you've mapped, they simply would skip the permissions check from your classes as and would apply the permissions fromProductManageView
only.Still the idea of yours is nice!
P.S. Correct me if I'm mistaken about permissions :)
Fortunately, you are mistaken. You can very simply add a permission class to the view you want to protect and it works how you'd expect it.
Say we want only authorized users to delete our products. We'd simply add the
IsAuthorized
permission class to the delete viewOur new test
Passes!
I'm so glad I've asked about it! :) Thank you. Please, consider to add the information about permissions to the main article, it's very useful. Thank you!
Done, thanks for the idea!
Thanks, your solution was very helpful to me.
In your example, I received 500 errors if a method does not allow
I replaced the Response method on the parent method call, where I got normal behaviour and error 405.
This now results in this error
AssertionError: Cannot apply DjangoModelPermissionsOrAnonReadOnly on a view that does not set
.queryset
or have a.get_queryset()
methodThis is what I ended up using:
I had the same issue and found that using a predefined Response type instead of the general Response class fixed it.
E.g.
I haven't tested others, but I assume this would work equally well with an HttpResponse or whichever.
Hi there,
I have one query with HTTP method calling on Url. I have created a class which is inherited from Viewset.
It has different functions to perform different CRUD operations. But when I call two HTTP methods on single URL it doesn't reflect on Options and always go for GET method
Thanks a lot, I think this is not Restful, why? you have the verb (delete,update) directly in the url, for Restfull the verb must be performed with http verbs.