浏览器API是一个可以添加\更新\删除实例的单页。当你询问这个页面时,DRF会检查所有需要的权限,看看相应的模块是否允许显示。
在DRF源代码深处,你可以看到这一点renderers.py
:
class BrowsableAPIRenderer(BaseRenderer):
"""
HTML renderer used to self-document the API.
"""
media_type = 'text/html'
format = 'api'
template = 'rest_framework/api.html'
filter_template = 'rest_framework/filters/base.html'
code_style = 'emacs'
charset = 'utf-8'
form_renderer_class = HTMLFormRenderer
...
def get_context(self, data, accepted_media_type, renderer_context):
....
context = {
....
'put_form': self.get_rendered_html_form(data, view, 'PUT', request),
'post_form': self.get_rendered_html_form(data, view, 'POST', request),
'delete_form': self.get_rendered_html_form(data, view, 'DELETE', request),
'options_form': self.get_rendered_html_form(data, view, 'OPTIONS', request),
}
return context
def get_rendered_html_form(self, data, view, method, request):
....
if not self.show_form_for_method(view, method, request, instance):
....
def show_form_for_method(self, view, method, request, obj):
"""
Returns True if a form should be shown for this method.
"""
if method not in view.allowed_methods:
return # Not a valid method
try:
view.check_permissions(request)
if obj is not None:
view.check_object_permissions(request, obj)
except exceptions.APIException:
return False # Doesn't have permissions
return True
view.check_permissions(request)
in show_form_for_method
这就是 DRF 可浏览 API 对每个实际请求的多个请求类型运行权限检查的原因。