I don't know how to return token if user is present in my database.
I have User model with login and password fields and I have created some users from dajngo admin site. In Urls i have registered slug:
path('api-token/', AuthToken, name = 'api-token')
Auth token class looks like that ( this is exapmple from rest-framework documentation).
class AuthToken(ObtainAuthToken):
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data,
context={'request': request})
serializer.is_valid(raise_exception=True)
user = serializer.validated_data['user']
token, created = Token.objects.get_or_create(user=user)
return Response({
'token': token.key,
})
I want to check if user exist in mu sql-lite database and if so, return the token. Unfortunattly I don't understand this code. Can somebody explain me what is it doing and how can I change it to meet my requirements.
Another issue is that I have User view which returns users from my db
class UserView(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
It is reqistered this way
router = routers.DefaultRouter()
router.register('users', views.UserView)
urlpatterns = [
path('',include(router.urls)),
]
Is this going to work? I'm not sure because there is no checking if somebody pass a token and if token is correct
If you don't use custom token authentication, then you should use build in auth.
https://www.django-rest-framework.org/api-guide/authentication/#by-exposing-an-api-endpoint
Just use the view provided by DRF
from rest_framework.authtoken import views
urlpatterns += [
url(r'^api-token-auth/', views.obtain_auth_token)
]
Regarding authorization on your UserView, see: https://www.django-rest-framework.org/api-guide/authentication/#setting-the-authentication-scheme
you can just add
permission_classes = [IsAuthenticated]
It allows only authenticated users to use that endpoint
Related
I was using Django users model for my Django rest framework. For this I used Django's ModelViewSet for my User class.
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
Serializers.py
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ['id', 'username', 'password']
extra_kwargs = {
'password' : {
'write_only':True,
'required': True
}
}
def create(self, validated_data):
user = User.objects.create_user(**validated_data)
Token.objects.create(user=user) # create token for the user
return user
But currently from postman when I make the request using the token of one user to view, delete, edit other users
http://127.0.0.1:8000/api/users/4/
Its able to edit/delete/view other users. I don't want that to happen and one user can make request on itself only is all I want.
This is my apps urls.py
urls.py
from django.urls import path, include
from .views import ArticleViewSet, UserViewSet
from rest_framework.routers import DefaultRouter
router = DefaultRouter()
router.register('articles', ArticleViewSet, basename='articles')
router.register('users', UserViewSet, basename = 'users')
urlpatterns = [
path('api/', include(router.urls)),
]
How can I prevent one user from accessing other users when they make GET/POST/PUT/DELETE request.
EDIT 1: After adding the IsOwnerOfObject class as provided in he answers below, now when I am requesting the detail of the user himself, I am getting
Authentication credentials were not provided.
Building from Ene's answer, authentication and permission classes needs to be provided.
Create a file named permissions.py.
from rest_framework import permissions
class IsOwnerOfObject(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj == request.user
next add the permission and authentication class to ModelViewSet:
from api.permissions import IsOwnerOfObject
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = [IsAuthenticated, IsOwnerOfObject]
authentication_classes = (TokenAuthentication,)
Create a file named permissions.py.
from rest_framework import permissions
class IsOwnerOfObject(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj == request.user
next add the permission class to you ModelViewSet:
from yourapp.permissions import IsOwnerOfObject
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = [IsOwnerOfObject, <other permission classes you want to use>]
More info here:
https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#object-level-permissions
If you want to disable delete completely (Which is probably correct since if you want to "delete" a User you should deactivate it instead.) Then you can replace your view with this:
from rest_framework import viewsets
from rest_framework import generics
class UserViewSet(
generics.CreateModelMixin,
generics.ListModelMixin,
generics.RetrieveModelMixin,
generics.UpdateModelMixin,
generics.viewsets.GenericViewSet
):
queryset = User.objects.all()
serializer_class = UserSerializer
And then you can use Ene Paul's answer to limit who can edit.
Another all-in-one solution could be to use a queryset filter to directly narrow the queryset results. This will prevent an user to delete other users, but also prevent any unauthorized retrieving or listing as the only accessible data will be the user itself only.
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = [IsAuthenticated]
def get_queryset(self):
"""
The get_queryset function is used to get the queryset of the user data corresponding to the logged in user.
It is called when the view is instantiated, and it returns a list containing this user only.
"""
# after get all products on DB it will be filtered by its owner and return the queryset
owner_queryset = self.queryset.filter(username=self.request.user.username)
return owner_queryset
And this can also be used with other objects to allow retrieving only data related to this user.
i am using Django rest framework for my login api. Now i want to login only certain group user through api. I have created group and assigned user to the group.I have created a permission class and used to APIView but it's show ""Authentication credentials were not provided."
Here is my permissions.py class
from rest_framework.permissions import BasePermission
class FanOnlyPermission(BasePermission):
def has_permission(self, request, view):
if request.user and request.user.groups.filter(name='fan'):
return True
return False
Here is my view.py
from rest_framework import views, permissions, status, generics
class UserLoginApiView(generics.GenericAPIView):
"""
User Login Api View
"""
permission_classes = (FanOnlyPermission, )
def post(self, request):
"""
Handle POST request
:param request:
:return:
"""
serializer = UserLoginSerializer(data=request.data)
if serializer.is_valid(raise_exception=True):
return Response(serializer.data, status=status.HTTP_200_OK)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
I have tried through postman. when i print request.user from permission.py it shoed "Anonymous user".
You need to implement custom authentication backend,
See this answer: how to create login authentication based on some condition in django restframework
And then config the AUTHENTICATION_BACKENDS in the settings.py:
AUTHENTICATION_BACKENDS = ['accounts.backends.AuthBackend']
This question is based on the one here. I am setting up a Django REST Framework for my web app and am trying to set up User accounts. Based on the REST documentation, they put all of their account code in their example in the main project directory and a separate application so did that as well. Here is what I have:
urls.py
from django.contrib import admin
from django.urls import include, path
from django.conf.urls import url
from rest_framework import routers
from . import views
router = routers.DefaultRouter()
router.register('users', views.UserViewSet)
urlpatterns = [
path('admin/', admin.site.urls),
url('', include(router.urls)),
url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
]
serializers.py
from django.contrib.auth.models import User
from rest_framework import serializers
class UserSerializer(serializers.ModelSerializer):
password = serializers.CharField(write_only=True)
def create(self, validated_data):
user = User.objects.create(
username=validated_data['username']
)
user.set_password(validated_data['password'])
user.save()
return user
class Meta:
model = User
# Tuple of serialized model fields (see link [2])
fields = ( "id", "username", "password", )
views.py
from rest_framework import viewsets, permissions
from rest_framework.generics import CreateAPIView
from django.contrib.auth.models import User
from .serializers import UserSerializer
# Create your views here.
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = [permissions.IsAuthenticated]
class CreateUserView(CreateAPIView):
model = User
permission_classes = [
permissions.AllowAny
]
serializer_class = UserSerializer
I have tried using the Boomerang REST Client in Chrome to POST data to this API, but it always returns a 403 Error saying "Invalid username/password." Specifically I am POSTing to http://127.0.0.1:8000/users/create/ with a Query String and 2 parameters: username and password. I also tried sending it as JSON and it returned the same. Any help would be appreciated.
It doesn't look like CreateUserView was registered in your urls.py. You should be able to register it and access it normally. I think this should work for you:
urlpatterns = [
...
url(r'^users/create/', views.CreateUserView.as_view()),
]
That said, I'd like to suggest adding an extra action for your UserViewSet instead:
# Create your views here.
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = [permissions.IsAuthenticated
#action(methods=['post'], detail=False, permission_classes=[permissions.AllowAny])
def register(self, request, *args, **kwargs):
# This logic was taken from the `create` on `ModelViewSet`. Alter as needed.
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
self.perform_create(serializer)
headers = self.get_success_headers(serializer.data)
return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
Then you should be able to post via /users/register/. You can also specify your own url name and path on the decorator.
Maybe you are posting in the wrong url, try POST the same on http://127.0.0.1:8000/users/,
because ModelViewSet adds POST, PATCH, PUT, DELETE and GET methods automatically.
Also because you are asking for authentication (permission_classes = [permissions.IsAuthenticated]), you should send the headers for this in the request. There is a tutorial for this in the DRF site (https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/)
based on django-rest-framework documents it's better to use viewset for create user api. therefor you need to send a POST request to http://127.0.0.1:8000/api-auth/users and no need to CreateUserView function.
But if you want to have a custom user create api do you need something like below:
class UserViewSet(viewsets.ModelViewSet):
"""
A viewset that provides the standard actions
"""
queryset = User.objects.all()
serializer_class = UserSerializer
#action(detail=True, methods=['post'], permission_classes=[permissions.AllowAny])
def create_user(self, request, pk=None):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
self.perform_create(serializer)
headers = self.get_success_headers(serializer.data)
return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
To have custom serializers in your ViewSet you can specify them in get_serializer_class function in your ViewSet like this:
class UserViewSet(viewsets.ModelViewSet):
# example viewset
def get_serializer_class(self):
if self.action == 'list':
return ListUserSerializer
elif self.action == 'create':
return CreateUserSerializer
elif self.action == 'update':
return UpdateUserSerializer
return DetailUserSerializer
I'm trying to implement account activation by e-mail link. My User model is very simple, inherits from django.contrib.auth.models.AbstractUser, so it has is_active field by default. Upon registration, new user is created with is_active=False param and I want to handle case, when user tries to log in and even though credentials are fine, should not be logged in because account is not activated. I'm using Knox Token Authentication. My serializer:
from django.contrib.auth import authenticate
from rest_framework import serializers, exceptions
class LoginUserSerializer(serializers.ModelSerializer):
class Meta:
model = UserModel
fields = ('username', 'password')
def validate(self, data):
user = authenticate(**data)
if user:
if user.is_active:
return user
raise exceptions.AuthenticationFailed('Account is not activated')
raise exceptions.AuthenticationFailed()
And view:
from django.contrib.auth import login
from rest_framework.permissions import AllowAny
from rest_framework.authtoken.serializers import AuthTokenSerializer
from knox.views import LoginView
from .serializers import LoginUserSerializer
class LoginUserView(LoginView):
serializer_class = LoginUserSerializer
permission_classes = [AllowAny]
def post(self, request, *args, **kwargs):
serializer = AuthTokenSerializer(data=request.data)
serializer.is_valid(raise_exception=True)
user = serializer.validated_data['user']
login(request, user)
return super(LoginUserView, self).post(request)
And with that code, I stumbled upon problem: when I try to log in with already activated account, everything looks fine, but when I try unactivated one, instead of Account is not activated, I get:
{
"non_field_errors": [
"Unable to log in with provided credentials."
]
}
Which I think, comes rather from view than the serializer.
Okay, so thanks to Shafikur Rahman suggestion I was able to make it work. After I tried to debug it with pdb and set trace inside LoginUserSerializer but nothing happened, I realized that in my views I'm not pointing to the serializer I wrote, but to AuthTokenSerializer. Even after that it still didn't work, because of my lack of understanding of how django login() and DRF validate() works. Below fixed code for reference:
view:
class LoginUserView(LoginView):
serializer_class = LoginUserSerializer
permission_classes = [AllowAny]
def post(self, request, *args, **kwargs):
serializer = LoginUserSerializer(data=request.data) # changed to desired serializer
serializer.is_valid(raise_exception=True)
user = serializer.validated_data['user']
login(request, user)
return super(LoginUserView, self).post(request)
and serializer:
class LoginUserSerializer(serializers.ModelSerializer):
username = serializers.CharField() # added missing fields for serializer
password = serializers.CharField()
class Meta:
model = UserModel
fields = ('username', 'password')
def validate(self, data):
user = authenticate(**data)
if user:
if user.is_active:
data['user'] = user # added user model to OrderedDict that serializer is validating
return data # and in sunny day scenario, return this dict, as everything is fine
raise exceptions.AuthenticationFailed('Account is not activated')
raise exceptions.AuthenticationFailed()
Additionally to be able to authenticate() not active user, I had to add
AUTHENTICATION_BACKENDS = [
'django.contrib.auth.backends.AllowAllUsersModelBackend'
]
in project settings.
I am new in Django and I have managed to build a small API using DRF. I have my angular.js client end posting user auth details and DRF returns a token which looks like this:
{ 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' }
Based on the tutorial, I am supposed to retrieve the details from request.user
But I don't know where to do this. I find it confusing since it doesn't give a good example. Anyone with an idea on how go around it? Your input is highly appreciated.
Below is the code of my view and serializer.
from serializers import ExampleSerializer
from models import Example
from rest_framework import viewsets
class ExampleViewSet(viewsets.ModelViewSet):
"""
Example api description
"""
queryset = Example.objects.all()
serializer_class = ExampleSerializer
Serializer
from models import Example
from rest_framework import serializers
class ExampleSerializer(serializers.ModelSerializer):
class Meta:
model = Example
fields = ('id', 'field_one', 'field_two', 'created_at', 'updated_at')
depth = 1
Keeping in mind that I am also new to Angular and DRF...
If you are already receiving the token, then on the angularjs side, you need to be including the token in the headers of your subsequent requests. Perhaps like this abbreviated code from the authentication request:
$http({auth request code here}).then(function(response){
var token = response.headers().token
$http.defaults.headers.common['Authorization'] = 'Token ' + token;
});
In your ViewSet you would likely want
authentication_classes = (TokenAuthentication,)
along with whatever permission_classes are relevant.
If you are including the Token in the Angular http request, then I believe you can reference the user with request.user, like perhaps
def list(self, request):
queryset = SomeObject.objects.filter(owner=request.user)
Or, here is another use (User model is django.contrib.auth.models.User):
class UserView(RetrieveAPIView):
model = User
serializer_class = UserSerializer
def retrieve(self, request, pk=None):
"""
If provided 'pk' is "me" then return the current user.
"""
if request.user and pk == 'me':
return Response(UserSerializer(request.user).data)
return super(UserView, self).retrieve(request, pk)
In my case, I am trying to test my API with an API REST Client. When I put the Header in the configuration, it works.
Authorization: Token <<token>>