Merge a1dfabb21c into fe4c7d4000

2025-08-02 11:30:12 +03:00 · 2013-12-03 05:10:43 -08:00 · 2013-12-03 05:10:43 -08:00 · 1221b93911
commit 1221b93911
parent fe4c7d4000 a1dfabb21c
3 changed files with 23 additions and 4 deletions
--- a/docs/api-guide/permissions.md
+++ b/docs/api-guide/permissions.md
@ -106,6 +106,12 @@ The `IsAuthenticatedOrReadOnly` will allow authenticated users to perform any re

 This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users.

+## IsAdminOrReadOnly 
+
+The `IsAdminOrReadOnly` will allow superusers to perform any request.  Requests for everyone else will only be permitted if the request method is one of the "safe" methods; `GET`, `HEAD` or `OPTIONS`.
+
+This permission is suitable if you want to your API to allow read permissions to everyone, and only allow write permissions to administrators.
+
 ## DjangoModelPermissions

 This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth].  When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned.
--- a/docs/api-guide/viewsets.md
+++ b/docs/api-guide/viewsets.md
@ -178,7 +178,7 @@ Because `ModelViewSet` extends `GenericAPIView`, you'll normally need to provide
        """
        queryset = Account.objects.all()
        serializer_class = AccountSerializer
-        permission_classes = [IsAccountAdminOrReadOnly]
+        permission_classes = [IsAdminOrReadOnly]

 Note that you can use any of the standard attributes or method overrides provided by `GenericAPIView`.  For example, to use a `ViewSet` that dynamically determines the queryset it should operate on, you might do something like this:

@ -188,7 +188,7 @@ Note that you can use any of the standard attributes or method overrides provide
        associated with the user.
        """
        serializer_class = AccountSerializer
-        permission_classes = [IsAccountAdminOrReadOnly]
+        permission_classes = [IsAdminOrReadOnly]

        def get_queryset(self):
            return self.request.user.accounts.all()
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@ -77,8 +77,21 @@ class IsAuthenticatedOrReadOnly(BasePermission):

    def has_permission(self, request, view):
        if (request.method in SAFE_METHODS or
-            request.user and
-            request.user.is_authenticated()):
+           request.user and
+           request.user.is_authenticated()):
+            return True
+        return False
+
+
+class IsAdminOrReadOnly(BasePermission):
+    """
+    The request is authenticated as an admin, or is a read-only request.
+    """
+
+    def has_permission(self, request, view):
+        if (request.method in SAFE_METHODS or
+           request.user and
+           request.user.is_staff):
            return True
        return False