0

I have a Blog project where users can Post,comment and like the posts. When displaying entire Posts (ListCreateView method,ie POST&GET) it displays whoever liked the post but in POST method(as mentioned in attached picture) it exposes the list of entire users as options to like (in attached photo, voters means list of registered users with Blog project, for test purpose they named as a,b,c )

How can I avoid voters (I mean list of people who likeS Post ) from CreateView ?

My projects works fine but I want to avoid the major data expose.

SERIALIZERS.PY

class PostSerializer(serializers.ModelSerializer):

    class Meta:
        model = Post

        fields = "__all__"

class LikeSerializer(serializers.ModelSerializer):

    class Meta:
        model = Post
        exclude = ("voters",)

MODELS.PY

class Post(models.Model):
    ...

    voters = models.ManyToManyField(settings.AUTH_USER_MODEL,
                                    related_name="votes",blank=True)

VIEWS.PY

class PostListCreateview(generics.ListCreateAPIView):
    queryset = Post.objects.all().order_by('id')
    serializer_class = PostSerializer
    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
    def perform_create(self, serializer):
        serializer.save(author=self.request.user)

enter image description here

Anoop K George
  • 1,605
  • 12
  • 40
  • 1
    It's good to turn off the ***Browsable DRF API*** in the production environment. You can do that by changing the DRF settings. Read the related post, [Turn off DRF browsable API](https://stackoverflow.com/questions/11898065/how-to-disable-admin-style-browsable-interface-of-django-rest-framework) – JPG May 09 '20 at 14:49
  • Thank you, if I turn off it, wont be people able to get my entire user objects from open API's ? – Anoop K George May 09 '20 at 14:54
  • I am not much aware of OpenAPIs. I hope you can see the results if you try it yourself. – JPG May 09 '20 at 14:58

0 Answers0