335๐
You just need to remove the browsable API renderer from your list of supported renderers for the view.
Generally:
REST_FRAMEWORK = {
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
)
}
Per-view basis:
class MyView(...):
renderer_classes = [renderers.JSONRenderer]
Aside:
In many cases I think itโs a shame that folks would choose to disable the browsable API in any case, as itโs a big aid to any developers working on the API, and it doesnโt give them more permissions that they would otherwise have. I can see that there might be business reasons for doing so in some cases, but generally Iโd consider it a huge asset. Although, in some cases there may be details shown (like the names of custom actions) that a non-public API may not want to expose.
See also the answer below for more detail about restricting the browsable API renderer to development.
153๐
While the accepted answer to this question does answer the question as it was worded, I feel that it does not solve the actual issue at hand.
For completeness in this answer, disabling the browseable HTML api is done by removing it from the renderer classes like so:
REST_FRAMEWORK = {
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
)
}
However, the actual issue the question alludes to is people being able to post to the API without authentication. While removing the form makes it less obvious, this answer does not protect the API endpoints.
At minimum, someone finds this question and is looking to protect the API from unauthenticated, or unauthorised POST submissions; the are looking to change the API Permissions
The following will set all endpoints to be read only unless the user is authenticated.
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticatedOrReadOnly',
)
}
If you would like to completely hide the API unless the user is logged in, you could also use IsAuthenticated.
FYI: This will also remove the form from the HTML browseable API as it responds to permissions. When an authenticated user logs in, the form will be available again.
Bonus Round:
Only enable the browseable HTML API in dev:
DEFAULT_RENDERER_CLASSES = (
'rest_framework.renderers.JSONRenderer',
)
if DEBUG:
DEFAULT_RENDERER_CLASSES = DEFAULT_RENDERER_CLASSES + (
'rest_framework.renderers.BrowsableAPIRenderer',
)
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticatedOrReadOnly',
),
'DEFAULT_RENDERER_CLASSES': DEFAULT_RENDERER_CLASSES
}
- [Django]-How about having a SingletonModel in Django?
- [Django]-Gunicorn Connection in Use: ('0.0.0.0', 5000)
- [Django]-How to manually assign imagefield in Django
10๐
# For Production Only
REST_FRAMEWORK = {
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
)
}
Just Add this to your settings.py should disable the Browsable API!
- [Django]-Django REST framework post array of objects
- [Django]-Cannot access django app through ip address while accessing it through localhost
- [Django]-Django form: what is the best way to modify posted data before validating?
4๐
In settings.py you can include a DEBUG flag like so:
DEBUG = env.bool("API_DEBUG", default=True)
Then you can set render behavior based on that flag if DEBUG is set to True or False:
if DEBUG:
DEFAULT_RENDERER_CLASSES = (
"rest_framework.renderers.JSONRenderer",
"rest_framework.renderers.BrowsableAPIRenderer",
)
else:
DEFAULT_RENDERER_CLASSES = (
"rest_framework.renderers.JSONRenderer",
)
REST_FRAMEWORK = {
'DEFAULT_RENDERER_CLASSES': DEFAULT_RENDERER_CLASSES,
}
This way whenever the API is in debug mode it will show the browsable api and when it is not in debug mode it will render JSON only.
- [Django]-Get list item dynamically in django templates
- [Django]-Django REST Framework: how to substitute null with empty string?
- [Django]-Passing variable urlname to url tag in django template