diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index 38ae3d0a9..e867a4569 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -114,7 +114,7 @@ This permission is suitable if you want to your API to allow read permissions to ## DjangoModelPermissions -This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned. +This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. This permission must only be applied to views that has a `.queryset` property set. Authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned. * `POST` requests require the user to have the `add` permission on the model. * `PUT` and `PATCH` requests require the user to have the `change` permission on the model. @@ -124,6 +124,12 @@ The default behaviour can also be overridden to support custom model permissions To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details. +#### Using with views that do not include a `queryset` attribute. + +If you're using this permission with a view that uses an overridden `get_queryset()` method there may not be a `queryset` attribute on the view. In this case we suggest also marking the view with a sential queryset, so that this class can determine the required permissions. For example: + + queryset = User.objects.none() # Required for DjangoModelPermissions + ## DjangoModelPermissionsOrAnonReadOnly Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have read-only access to the API. @@ -132,7 +138,7 @@ Similar to `DjangoModelPermissions`, but also allows unauthenticated users to ha This permission class ties into Django's standard [object permissions framework][objectpermissions] that allows per-object permissions on models. In order to use this permission class, you'll also need to add a permission backend that supports object-level permissions, such as [django-guardian][guardian]. -When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant per-object permissions* and *relevant model permissions* assigned. +As with `DjangoModelPermissions`, this permission must only be applied to views that have a `.queryset` property. Authorization will only be granted if the user *is authenticated* and has the *relevant per-object permissions* and *relevant model permissions* assigned. * `POST` requests require the user to have the `add` permission on the model instance. * `PUT` and `PATCH` requests require the user to have the `change` permission on the model instance. diff --git a/docs/api-guide/routers.md b/docs/api-guide/routers.md index 2d760ca44..61a476b8b 100644 --- a/docs/api-guide/routers.md +++ b/docs/api-guide/routers.md @@ -41,9 +41,9 @@ The example above would generate the following URL patterns: **Note**: The `base_name` argument is used to specify the initial part of the view name pattern. In the example above, that's the `user` or `account` part. -Typically you won't *need* to specify the `base-name` argument, but if you have a viewset where you've defined a custom `get_queryset` method, then the viewset may not have any `.model` or `.queryset` attribute set. If you try to register that viewset you'll see an error like this: +Typically you won't *need* to specify the `base-name` argument, but if you have a viewset where you've defined a custom `get_queryset` method, then the viewset may not have a `.queryset` attribute set. If you try to register that viewset you'll see an error like this: - 'base_name' argument not specified, and could not automatically determine the name from the viewset, as it does not have a '.model' or '.queryset' attribute. + 'base_name' argument not specified, and could not automatically determine the name from the viewset, as it does not have a '.queryset' attribute. This means you'll need to explicitly set the `base_name` argument when registering the viewset, as it could not be automatically determined from the model name. diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py index 6a1a00770..29f60d6de 100644 --- a/rest_framework/permissions.py +++ b/rest_framework/permissions.py @@ -108,6 +108,9 @@ class DjangoModelPermissions(BasePermission): return [perm % kwargs for perm in self.perms_map[method]] def has_permission(self, request, view): + # Note that `.model` attribute on views is deprecated, although we + # enforce the deprecation on the view `get_serializer_class()` and + # `get_queryset()` methods, rather than here. model_cls = getattr(view, 'model', None) queryset = getattr(view, 'queryset', None) diff --git a/rest_framework/routers.py b/rest_framework/routers.py index 406ebcf77..ae56673d2 100644 --- a/rest_framework/routers.py +++ b/rest_framework/routers.py @@ -128,6 +128,9 @@ class SimpleRouter(BaseRouter): If `base_name` is not specified, attempt to automatically determine it from the viewset. """ + # Note that `.model` attribute on views is deprecated, although we + # enforce the deprecation on the view `get_serializer_class()` and + # `get_queryset()` methods, rather than here. model_cls = getattr(viewset, 'model', None) queryset = getattr(viewset, 'queryset', None) if model_cls is None and queryset is not None: @@ -135,7 +138,7 @@ class SimpleRouter(BaseRouter): assert model_cls, '`base_name` argument not specified, and could ' \ 'not automatically determine the name from the viewset, as ' \ - 'it does not have a `.model` or `.queryset` attribute.' + 'it does not have a `.queryset` attribute.' return model_cls._meta.object_name.lower()