django-rest-framework limit the allowed_methods to GET

Question

I Have just started with django-rest-framework. Pretty enthousiastic about it, except for the fact there are very little examples available. getting the api working is going great, but all the extra's is a puzzle. (adding extra custom fields etc.)

Now I wonder how you can restrict the allowed_methods in for example a ListView or a DetailView. Adding this to the class in the views.py like I read somewhere as an answer... does not seem to have any effect:

allowed_methods = ('GET',)

Answer 1

Django-rest-framework actually have very many examples..

Take a look at http://django-rest-framework.org, http://django-rest-framework.org/contents.html and http://rest.ep.io/ for some good examples and documentation.

If you are designing a REST function by yourself, not using any of the django-rest-framework magic (like rest.ep.io) to generate it for you, you should look into mixin (http://django-rest-framework.org/howto/mixin.html).

If you want to restrict to only get methods. Just use def get(...) and the mixin class.

Example from link provided:

curl -X GET http://rest.ep.io/mixin/

urls.py

from djangorestframework.compat import View
from djangorestframework.mixins import ResponseMixin
from djangorestframework.renderers import DEFAULT_RENDERERS
from djangorestframework.response import Response

from django.conf.urls.defaults import patterns, url
from django.core.urlresolvers import reverse


class ExampleView(ResponseMixin, View):
    renderers = DEFAULT_RENDERERS

    def get(self, request):
        response = Response(200, {'description': 'Some example content',
                                  'url': reverse('mixin-view')})
        return self.render(response)


urlpatterns = patterns('',
    url(r'^$', ExampleView.as_view(), name='mixin-view'),
)

Answer 2

If you are using ModelViewSet and still want to restrict some methods you can add http_method_names.

Example:

class SomeModelViewSet(viewsets.ModelViewSet):
    queryset = SomeModel.objects.all()
    serializer_class = SomeModelSerializer
    http_method_names = ['get', 'post', 'head']

Once you do this, get, post and head will be allowed. But put, patch and delete will not be allowed.

[Shameless Plug]: If this answer was helpful, you will like my series of posts on DRF at https://www.agiliq.com/blog/2019/04/drf-polls/.

Answer 3

As almost everything in django-rest-framework, once you find it out, its very simple. In the urls in stead of using ListOrCreateModelView I had to use ListModelView.

Answer 4

You can do in this way for restricting the data. In ModelViewSet you can add http_method_names to restrict the data.

class RtsToolsViewSets(viewsets.ModelViewSet):
    serializer_class = AgentSerializer
    queryset = Agents.objects.all()
    http_method_names = ['get']

You can get details on : https://www.django-rest-framework.org/tutorial/2-requests-and-responses/

Answer 5

Sorry for necro, but I stumbled upon this question looking for a similar issue.

I only wanted to allow retrieve() but not to list(). What I ended up doing:

from rest_framework import viewsets
from rest_framework.exceptions import MethodNotAllowed

from myapp.models import MyModel

class MyViewSet(viewsets.ModelViewSet):
    http_method_names = ["get"]
    queryset = MyModel.objects.all()
    serializer_class = MySerializer

    def list(self, request, *args, **kwargs):
        raise MethodNotAllowed("GET")