removed unnecessary guardian req and view.action parsing

2025-02-03 05:04:31 +03:00 · 2013-09-09 08:39:09 -07:00 · 2013-09-09 08:39:09 -07:00 · 0183c69538
commit 0183c69538
parent 9ff0f6d3bf
2 changed files with 26 additions and 37 deletions
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@ -8,8 +8,7 @@ import warnings
 SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']

 from django.http import Http404
-from rest_framework.compat import oauth2_provider_scope, oauth2_constants, guardian
-from rest_framework.filters import ObjectPermissionReaderFilter
+from rest_framework.compat import oauth2_provider_scope, oauth2_constants


 class BasePermission(object):
@ -158,47 +157,42 @@ class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
    Basic object level permissions utilizing django-guardian.
    """

-    def __init__(self):
-        assert guardian, 'Using DjangoObjectLevelModelPermissions, but django-guardian is not installed'
-
-    action_perm_map = {
-        'list': 'read',
-        'retrieve': 'read',
-        'create': 'add',
-        'partial_update': 'change',
-        'update': 'change',
-        'destroy': 'delete',
+    actions_map = {
+        'GET': ['read_%(model_name)s'],
+        'OPTIONS': ['read_%(model_name)s'],
+        'HEAD': ['read_%(model_name)s'],
+        'POST': ['add_%(model_name)s'],
+        'PUT': ['change_%(model_name)s'],
+        'PATCH': ['change_%(model_name)s'],
+        'DELETE': ['delete_%(model_name)s'],
    }

-    def _get_model_name(self, view):
-        model_cls = getattr(view, 'model', None)
-        queryset = getattr(view, 'queryset', None)
-
-        if model_cls is None and queryset is not None:
-            model_cls = queryset.model
-        if not model_cls:  # no model, no model based permissions
-            return None
-        model_name = model_cls._meta.module_name
-        return model_name
+    def get_required_object_permissions(self, method, model_cls):
+        kwargs = {
+            'model_name': model_cls._meta.module_name
+        }
+        return [perm % kwargs for perm in self.actions_map[method]]

    def has_permission(self, request, view):
-        if view.action == 'list':
+        if getattr(view, 'action', None) == 'list':
            queryset = view.get_queryset()
            view.queryset = ObjectPermissionReaderFilter().filter_queryset(request, queryset, view)
        return super(DjangoObjectLevelModelPermissions, self).has_permission(request, view)

    def has_object_permission(self, request, view, obj):
-        action = self.action_perm_map.get(view.action)
-        assert action, "Tried to determine object permissions but no action specified in view"
+        model_cls = getattr(view, 'model', None)
+        queryset = getattr(view, 'queryset', None)

+        if model_cls is None and queryset is not None:
+            model_cls = queryset.model
+
+        perms = self.get_required_object_permissions(request.method, model_cls)
        user = request.user
-        model_name = self._get_model_name(view)

-        perm = "{action}_{model_name}".format(action=action, model_name=model_name)
-        check = user.has_perm(perm, obj)
+        check = user.has_perms(perms, obj)
        if not check:
            raise Http404
-        return user.has_perm(perm, obj)
+        return user.has_perms(perms, obj)


 class TokenHasReadWriteScope(BasePermission):
--- a/rest_framework/tests/test_permissions.py
+++ b/rest_framework/tests/test_permissions.py
@ -4,6 +4,7 @@ from django.db import models
 from django.test import TestCase
 from rest_framework import generics, status, permissions, authentication, HTTP_HEADER_ENCODING
 from rest_framework.compat import guardian
+from rest_framework.filters import ObjectPermissionReaderFilter
 from rest_framework.test import APIRequestFactory
 from rest_framework.tests.models import BasicModel
 import base64
@ -227,13 +228,11 @@ if guardian:
        # Delete
        def test_can_delete_permissions(self):
            request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['deleteonly'])
-            object_permissions_view.cls.action = 'destroy'
            response = object_permissions_view(request, pk='1')
            self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)

        def test_cannot_delete_permissions(self):
            request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
-            object_permissions_view.cls.action = 'destroy'
            response = object_permissions_view(request, pk='1')
            self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)

@ -241,7 +240,6 @@ if guardian:
        def test_can_update_permissions(self):
            request = factory.patch('/1', {'text': 'foobar'}, format='json',
                HTTP_AUTHORIZATION=self.credentials['writeonly'])
-            object_permissions_view.cls.action = 'partial_update'
            response = object_permissions_view(request, pk='1')
            self.assertEqual(response.status_code, status.HTTP_200_OK)
            self.assertEqual(response.data.get('text'), 'foobar')
@ -249,34 +247,31 @@ if guardian:
        def test_cannot_update_permissions(self):
            request = factory.patch('/1', {'text': 'foobar'}, format='json',
                HTTP_AUTHORIZATION=self.credentials['deleteonly'])
-            object_permissions_view.cls.action = 'partial_update'
            response = object_permissions_view(request, pk='1')
            self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)

        # Read
        def test_can_read_permissions(self):
            request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
-            object_permissions_view.cls.action = 'retrieve'
            response = object_permissions_view(request, pk='1')
            self.assertEqual(response.status_code, status.HTTP_200_OK)

        def test_cannot_read_permissions(self):
            request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['writeonly'])
-            object_permissions_view.cls.action = 'retrieve'
            response = object_permissions_view(request, pk='1')
            self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)

        # Read list
        def test_can_read_list_permissions(self):
            request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['readonly'])
-            object_permissions_list_view.cls.action = 'list'
+            object_permissions_list_view.cls.filter_backends = (ObjectPermissionReaderFilter,)
            response = object_permissions_list_view(request)
            self.assertEqual(response.status_code, status.HTTP_200_OK)
            self.assertEqual(response.data[0].get('id'), 1)

        def test_cannot_read_list_permissions(self):
            request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['writeonly'])
-            object_permissions_list_view.cls.action = 'list'
+            object_permissions_list_view.cls.filter_backends = (ObjectPermissionReaderFilter,)
            response = object_permissions_list_view(request)
            self.assertEqual(response.status_code, status.HTTP_200_OK)
            self.assertListEqual(response.data, [])