Djoser Disable Unused Endpoints

Question

I am using Djoser for authentication in my WebApp and it is pretty fine. However, I'm concerned about some endpoints, like

auth/users

which returns all users if a token is passed. I won't be using this endpoint and will disable it in frontend as I don't want my users to use it as well. But still, I'm concerned. How can I disable these unused endpoints provided by Djoser?

score 6 · Accepted Answer · answered Feb 26 '19 at 09:23

6

It's not easily possible to completely disable the endpoints. Maybe restricting this endpoint for admin only will be sufficient?

You could try setting rest_framework.permissions.IsAdminUser permission for user_list view.

Something like this should work:

DJOSER = {
    'PERMISSIONS': {
        'user_list': ['rest_framework.permissions.IsAdminUser'],
    }
}

DRF IsAdminUser permission

DJoser permissions docs

answered Feb 26 '19 at 09:23

Kamil Niski

4,580
1
11
24

well user list is already allowed only for admin users or it returns info of the current user. Here is a list of all Djoser default settings (as of 23/06/21 line 94 is the permission user_list setting): https://github.com/sunscrapers/djoser/blob/master/djoser/conf.py#L94 – Fed Jun 23 '21 at 14:50

Djoser Disable Unused Endpoints

1 Answers1