I followed the simple quickstart tutorial in the official documentation of django rest framework.
https://www.django-rest-framework.org/tutorial/quickstart/
The tutorial works fine. The URL of the browsable API is at 127.0.0.1:8000. How do I change it to 127.0.0.1:8000/api?
The code for urls.py;
from django.urls import include, path
from rest_framework import routers
from tutorial.quickstart import views
router = routers.DefaultRouter()
router.register(r'users', views.UserViewSet)
router.register(r'groups', views.GroupViewSet)
# Wire up our API using automatic URL routing.
# Additionally, we include login URLs for the browsable API.
urlpatterns = [
path('', include(router.urls)),
path('api-auth/', include('rest_framework.urls', namespace='rest_framework'))
]
I am using django v4, python v3.9
Just change the prefix via path(), like you've done for api-auth/.
(This is not DRF-specific; it's just the regular path() function you use to mount views onto URLs.)
path('', include(router.urls)),
->
path('api/', include(router.urls)),
Can't seem to find anything on this so far, I'm guessing I have something misconfigured somewhere.
I have a pre-existing Django app and am trying to use Wagtail to add a blog in. I have installed as per the instructions and I can access the default landing page so it seems to be installed however I'm stuck with the below error when attempting to access the admin for it and am not sure how to proceed. Guessing its something to do with not defining namespaces somewhere, the Wagtail docs say that its compatible with Django v1.11 but their integration documentation is for Django v2 specifically and is using re_path etc.
'wagtailadmin_api_v1' is not a registered namespace
My main project urls.py
urlpatterns = [
url(r'^admin/', admin.site.urls),
url(r'^blog/', include('blog.urls', namespace='blog')),
url(r'^taggit_autosuggest/', include('taggit_autosuggest.urls')),
url(r'^autocomplete/', include(ac_urls, namespace='ac')),
url(r'^', include('website.urls', namespace='website')),
]
My blog app's urls.py (which is fresh from a "python manage.py startapp blog")
from django.conf.urls import url, include
from wagtail.admin import urls as wagtailadmin_urls
from wagtail.documents import urls as wagtaildocs_urls
from wagtail.core import urls as wagtail_urls
app_name = 'blog'
urlpatterns = [
url(r'^cms/', include(wagtailadmin_urls)),
url(r'^documents/', include(wagtaildocs_urls)),
url(r'', include(wagtail_urls)),
]
When I attempt to access localhost:8000/blog/ I get the default wagtail landing page, if I go to localhost:8000/blog/cms/ I get the above error though. If I go to localhost:8000/blog/documents/ I get a 404 as well.
Not sure where I'm going wrong, have tried using a version of wagtail that still used the Django v1.11 way of routing in urls.py but I got the same error!
I have a Django backend that returns json data. I'm able to get data back on my localhost but got a 404 on production server. I'm running nginx in front of gunicorn server. Any ideas why I'm getting a 404? Shouldn't this be able to work to retrieve json data, or do I need to use django rest framework and implement viewsets to make this work?
Not Found
The requested URL /about was not found on this server.
urls.py
urlpatterns = [
url(r'^admin/', admin.site.urls),
url(r'^about', about.get_info),
]
about.py
from django.http import JsonResponse
def get_info(req):
return JsonResponse({"test": "hello"})
The problem is inside url.py. The way the rules are defined currently, it would only allow you to open about/ and admin/, i.e. with the / at the end. To fix this, you can define the URLs as following:
urlpatterns = [
url(r'^admin/$', admin.site.urls),
url(r'^about/$', about.get_info),
]
Now you should be able to use both admin/ and admin to access the page.
I am currently building a React with a Django REST backend. I have come into this one little problem I can't get past that has to do with Routing.
Here is my urls.py file.
urlpatterns = [
url(r'^api/', include(router.urls)),
url(r'^admin/', admin.site.urls),
url(r'^djangojs/', include('djangojs.urls')),
url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
url(r'^$', TemplateView.as_view(template_name='exampleapp/itworks.html')),
url(r'^(?:.*)/?$', TemplateView.as_view(template_name='exampleapp/itworks.html')),
]
Using this, it lets the react router do it's thing on the front end. For example, if I wanted to go to 127.0.0.1:8000/mentors then it will take me to the page I have set for React Router.
However, doing API calls in the frontend also returns the react page rather than the API endpoint because of this. So whenever I remove the last line in the code above: url(r'^(?:.*)/?$', TemplateView.as_view(template_name='exampleapp/itworks.html')),, then it gets the API returned in JSON format successfully. Problem is now when I try to go to the links it will return the Django 404 page rather than the React page I set in the React Router.
Is there anyway I can get the best of both worlds?
We're looking to implement Django OAuth on our backend in order to integrate Alexa and other 3rd party APIs. We've been following the tutorials on their site (http://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial.html), but have run into a security question that has so far escaped us:
Is there a security concern that any user can access https://<oursite.com>/o/applications? If so, what steps need to be taken to prevent users from accessing these views?
The only relevant questions on SO weren't particularly helpful:
Secure creation of new applications in Django OAuth Toolkit
Disable or restrict /o/applications (django rest framework, oauth2)
I'm doing a similar thing, and I believe it is a security concern that anyone can see /o/applications - from what I can tell, that page is meant to be a development utility, not a production page. In fact, in the django-oauth-toolkit documentation, they have a code example with more restricted access to views.
from django.conf.urls import url
import oauth2_provider.views as oauth2_views
from django.conf import settings
from .views import ApiEndpoint
# OAuth2 provider endpoints
oauth2_endpoint_views = [
url(r'^authorize/$', oauth2_views.AuthorizationView.as_view(), name="authorize"),
url(r'^token/$', oauth2_views.TokenView.as_view(), name="token"),
url(r'^revoke-token/$', oauth2_views.RevokeTokenView.as_view(), name="revoke-token"),
]
if settings.DEBUG:
# OAuth2 Application Management endpoints
oauth2_endpoint_views += [
url(r'^applications/$', oauth2_views.ApplicationList.as_view(), name="list"),
url(r'^applications/register/$', oauth2_views.ApplicationRegistration.as_view(), name="register"),
url(r'^applications/(?P<pk>\d+)/$', oauth2_views.ApplicationDetail.as_view(), name="detail"),
url(r'^applications/(?P<pk>\d+)/delete/$', oauth2_views.ApplicationDelete.as_view(), name="delete"),
url(r'^applications/(?P<pk>\d+)/update/$', oauth2_views.ApplicationUpdate.as_view(), name="update"),
]
# OAuth2 Token Management endpoints
oauth2_endpoint_views += [
url(r'^authorized-tokens/$', oauth2_views.AuthorizedTokensListView.as_view(), name="authorized-token-list"),
url(r'^authorized-tokens/(?P<pk>\d+)/delete/$', oauth2_views.AuthorizedTokenDeleteView.as_view(),
name="authorized-token-delete"),
]
urlpatterns = [
# OAuth 2 endpoints:
url(r'^o/', include(oauth2_endpoint_views, namespace="oauth2_provider")),
url(r'^admin/', include(admin.site.urls)),
url(r'^api/hello', ApiEndpoint.as_view()), # an example resource endpoint
]
The revoke token view is part of the RFC, so that one is needed. I took a similar approach in my app of only including AuthorizationView, TokenView, and RevokeTokenView.
Hope that helps!
It is a security concern, and I suggest restricting access only to superusers with active accounts as in the following code from urls.py:
from django.contrib.auth.decorators import user_passes_test
import oauth2_provider.views as oauth2_views
def is_super(user):
return user.is_superuser and user.is_active
oauth2_endpoint_views = [
url(r'^authorize/$', oauth2_views.AuthorizationView.as_view(), name="authorize"),
url(r'^token/$', oauth2_views.TokenView.as_view(), name="token"),
url(r'^revoke-token/$', oauth2_views.RevokeTokenView.as_view(), name="revoke-token"),
# the above are public but we restrict the following:
url(r'^applications/$', user_passes_test(is_super)(oauth2_views.ApplicationList.as_view()), name="list"),
...
]
urlpatterns = [url(r'^o/', include(oauth2_endpoint_views, namespace="oauth2_provider"))]
To exclude 'applications/' endpoint, import just required urls instead of using whole oauth2_provider.urls:
from oauth2_provider.urls import app_name, base_urlpatterns, management_urlpatterns
urlpatterns = [
...
# oauth2
path('oauth2/', include((base_urlpatterns, app_name), namespace='oauth2_provider'))
]
Only urls, required for the client app authorization will be added:
oauth2/ ^authorize/$ [name='authorize']
oauth2/ ^token/$ [name='token']
oauth2/ ^revoke_token/$ [name='revoke-token']
oauth2/ ^introspect/$ [name='introspect']
To add/remove applications, you can either use Django admin site, or allow management_urlpatterns for admin users, as in #David Chander answer: https://stackoverflow.com/a/49210935/7709003