From d0f758ee2f9e2deac3821d7bcea327f9929463a0 Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Fri, 10 Feb 2012 12:05:54 +0100
Subject: [PATCH 1/9] Resource's get_bound_form() populates instance's form on
 GET

---
 djangorestframework/resources.py | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/djangorestframework/resources.py b/djangorestframework/resources.py
index cc338cc05..561289fc0 100644
--- a/djangorestframework/resources.py
+++ b/djangorestframework/resources.py
@@ -309,14 +309,11 @@ class ModelResource(FormResource):
             return None
 
         # Instantiate the ModelForm as appropriate
-        if data is not None or files is not None:
-            if issubclass(form, forms.ModelForm) and hasattr(self.view, 'model_instance'):
-                # Bound to an existing model instance
-                return form(data, files, instance=self.view.model_instance)
-            else:
-                return form(data, files)
+        form_kwargs = {'data': data, 'files': files}
+         # Bound to an existing model instance
+        if hasattr(self.view, 'model_instance'): form_kwargs['instance'] = self.view.model_instance
 
-        return form()
+        return form(**form_kwargs)
 
     def url(self, instance):
         """

From 392117b7ed3d2ad407c537866746da8f82acd32b Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Fri, 10 Feb 2012 12:15:06 +0100
Subject: [PATCH 2/9] Restore ModelForm instance check on Resource's
 get_bound_form()

---
 djangorestframework/resources.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/djangorestframework/resources.py b/djangorestframework/resources.py
index 561289fc0..5cbfbdab6 100644
--- a/djangorestframework/resources.py
+++ b/djangorestframework/resources.py
@@ -311,7 +311,7 @@ class ModelResource(FormResource):
         # Instantiate the ModelForm as appropriate
         form_kwargs = {'data': data, 'files': files}
          # Bound to an existing model instance
-        if hasattr(self.view, 'model_instance'): form_kwargs['instance'] = self.view.model_instance
+        if issubclass(form, forms.ModelForm) and hasattr(self.view, 'model_instance'): form_kwargs['instance'] = self.view.model_instance
 
         return form(**form_kwargs)
 

From a6b16bb4b2e47e683cf578f06bd3ace8fc5eb953 Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Fri, 10 Feb 2012 21:47:59 +0100
Subject: [PATCH 3/9] Permissions can be checked with arbitrary HTTP methods,
 only views with write access display forms

---
 djangorestframework/mixins.py               |  4 ++--
 djangorestframework/permissions.py          | 21 ++++++++++++---------
 djangorestframework/renderers.py            |  8 ++++++++
 djangorestframework/templates/renderer.html |  4 ++--
 4 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/djangorestframework/mixins.py b/djangorestframework/mixins.py
index f4a9c998a..1cb7d5f13 100644
--- a/djangorestframework/mixins.py
+++ b/djangorestframework/mixins.py
@@ -361,14 +361,14 @@ class AuthMixin(object):
         return AnonymousUser()
 
     # TODO: wrap this behavior around dispatch()
-    def _check_permissions(self):
+    def _check_permissions(self, test_methods=None):
         """
         Check user permissions and either raise an ``ErrorResponse`` or return.
         """
         user = self.user
         for permission_cls in self.permissions:
             permission = permission_cls(self)
-            permission.check_permission(user)
+            permission.check_permission(user, test_methods=test_methods)
 
 
 ########## Resource Mixin ##########
diff --git a/djangorestframework/permissions.py b/djangorestframework/permissions.py
index dfe55ce94..a6edb1919 100644
--- a/djangorestframework/permissions.py
+++ b/djangorestframework/permissions.py
@@ -41,7 +41,7 @@ class BasePermission(object):
         """
         self.view = view
 
-    def check_permission(self, auth):
+    def check_permission(self, auth, test_methods=None, **kwargs):
         """
         Should simply return, or raise an :exc:`response.ErrorResponse`.
         """
@@ -53,7 +53,7 @@ class FullAnonAccess(BasePermission):
     Allows full access.
     """
 
-    def check_permission(self, user):
+    def check_permission(self, user, test_methods=None, **kwargs):
         pass
 
 
@@ -62,7 +62,7 @@ class IsAuthenticated(BasePermission):
     Allows access only to authenticated users.
     """
 
-    def check_permission(self, user):
+    def check_permission(self, user, test_methods=None, **kwargs):
         if not user.is_authenticated():
             raise _403_FORBIDDEN_RESPONSE
 
@@ -72,7 +72,7 @@ class IsAdminUser(BasePermission):
     Allows access only to admin users.
     """
 
-    def check_permission(self, user):
+    def check_permission(self, user, test_methods=None, **kwargs):
         if not user.is_staff:
             raise _403_FORBIDDEN_RESPONSE
 
@@ -82,10 +82,9 @@ class IsUserOrIsAnonReadOnly(BasePermission):
     The request is authenticated as a user, or is a read-only request.
     """
 
-    def check_permission(self, user):
-        if (not user.is_authenticated() and
-            self.view.method != 'GET' and
-            self.view.method != 'HEAD'):
+    def check_permission(self, user, test_methods=None, **kwargs):
+        if not test_methods: test_methods = [self.view.method]
+        if not user.is_authenticated() and not set(['GET', 'HEAD']).issuperset(test_methods):
             raise _403_FORBIDDEN_RESPONSE
 
 
@@ -113,11 +112,15 @@ class BaseThrottle(BasePermission):
         """
         pass
 
-    def check_permission(self, auth):
+    def check_permission(self, auth, test_methods=None, **kwargs):
         """
         Check the throttling.
         Return `None` or raise an :exc:`.ErrorResponse`.
         """
+
+        # Return if just testing the permission.
+        if test_methods: return
+
         num, period = getattr(self.view, self.attr_name, self.default).split('/')
         self.num_requests = int(num)
         self.duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]
diff --git a/djangorestframework/renderers.py b/djangorestframework/renderers.py
index bb0f789aa..aab6a20ba 100644
--- a/djangorestframework/renderers.py
+++ b/djangorestframework/renderers.py
@@ -17,6 +17,7 @@ from djangorestframework.utils import dict2xml, url_resolves
 from djangorestframework.utils.breadcrumbs import get_breadcrumbs
 from djangorestframework.utils.mediatypes import get_media_type_params, add_media_type_param, media_type_matches
 from djangorestframework import VERSION
+from djangorestframework.response import ErrorResponse
 
 import string
 from urllib import quote_plus
@@ -232,6 +233,13 @@ class DocumentingTemplateRenderer(BaseRenderer):
         provide a form that can be used to submit arbitrary content.
         """
 
+        # Return no form if user doesn't have write access to this view
+        if hasattr(view, '_check_permissions'):
+            try:
+                view._check_permissions(test_methods=('POST', 'PUT', 'DELETE', 'PATCH',))
+            except ErrorResponse:
+                return None
+
         # Get the form instance if we have one bound to the input
         form_instance = None
         if method == getattr(view, 'method', view.request.method).lower():
diff --git a/djangorestframework/templates/renderer.html b/djangorestframework/templates/renderer.html
index e396a58f5..5b80f11da 100644
--- a/djangorestframework/templates/renderer.html
+++ b/djangorestframework/templates/renderer.html
@@ -65,7 +65,7 @@
 	{# Only display the POST/PUT/DELETE forms if method tunneling via POST forms is enabled and the user has permissions on this view. #}
 	{% if METHOD_PARAM and response.status != 403 %}
 
-		{% if 'POST' in view.allowed_methods %}
+		{% if 'POST' in view.allowed_methods and post_form %}
 				<form action="{{ request.get_full_path }}" method="post" {% if post_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>POST {{ name }}</h2>
@@ -86,7 +86,7 @@
 				</form>
 		{% endif %}
 
-		{% if 'PUT' in view.allowed_methods %}
+		{% if 'PUT' in view.allowed_methods and put_form %}
 				<form action="{{ request.get_full_path }}" method="post" {% if put_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>PUT {{ name }}</h2>

From 15ee6f0f15b244b4e03e32b38d0a839b02019480 Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Fri, 10 Feb 2012 21:55:17 +0100
Subject: [PATCH 4/9] Revert "Restore ModelForm instance check on Resource's
 get_bound_form()"

This reverts commit 392117b7ed3d2ad407c537866746da8f82acd32b.
---
 djangorestframework/resources.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/djangorestframework/resources.py b/djangorestframework/resources.py
index 5cbfbdab6..561289fc0 100644
--- a/djangorestframework/resources.py
+++ b/djangorestframework/resources.py
@@ -311,7 +311,7 @@ class ModelResource(FormResource):
         # Instantiate the ModelForm as appropriate
         form_kwargs = {'data': data, 'files': files}
          # Bound to an existing model instance
-        if issubclass(form, forms.ModelForm) and hasattr(self.view, 'model_instance'): form_kwargs['instance'] = self.view.model_instance
+        if hasattr(self.view, 'model_instance'): form_kwargs['instance'] = self.view.model_instance
 
         return form(**form_kwargs)
 

From 04799515238b0cd0e6792378b37c256c5d8c4e21 Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Fri, 10 Feb 2012 22:00:51 +0100
Subject: [PATCH 5/9] Revert Revert "Restore ModelForm instance check on
 Resource\'s get_bound_form\(\)"

---
 djangorestframework/resources.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/djangorestframework/resources.py b/djangorestframework/resources.py
index 561289fc0..feb35cdc9 100644
--- a/djangorestframework/resources.py
+++ b/djangorestframework/resources.py
@@ -311,7 +311,7 @@ class ModelResource(FormResource):
         # Instantiate the ModelForm as appropriate
         form_kwargs = {'data': data, 'files': files}
          # Bound to an existing model instance
-        if hasattr(self.view, 'model_instance'): form_kwargs['instance'] = self.view.model_instance
+        if issubclass(form, forms.ModelForm) and if hasattr(self.view, 'model_instance'): form_kwargs['instance'] = self.view.model_instance
 
         return form(**form_kwargs)
 

From 2a75e2171d369528f0944e72c1ce19c1d117bf9a Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Fri, 10 Feb 2012 22:01:35 +0100
Subject: [PATCH 6/9] Revert "Permissions can be checked with arbitrary HTTP
 methods, only views with write access display forms"

This reverts commit a6b16bb4b2e47e683cf578f06bd3ace8fc5eb953.
---
 djangorestframework/mixins.py               |  4 ++--
 djangorestframework/permissions.py          | 21 +++++++++------------
 djangorestframework/renderers.py            |  8 --------
 djangorestframework/templates/renderer.html |  4 ++--
 4 files changed, 13 insertions(+), 24 deletions(-)

diff --git a/djangorestframework/mixins.py b/djangorestframework/mixins.py
index 1cb7d5f13..f4a9c998a 100644
--- a/djangorestframework/mixins.py
+++ b/djangorestframework/mixins.py
@@ -361,14 +361,14 @@ class AuthMixin(object):
         return AnonymousUser()
 
     # TODO: wrap this behavior around dispatch()
-    def _check_permissions(self, test_methods=None):
+    def _check_permissions(self):
         """
         Check user permissions and either raise an ``ErrorResponse`` or return.
         """
         user = self.user
         for permission_cls in self.permissions:
             permission = permission_cls(self)
-            permission.check_permission(user, test_methods=test_methods)
+            permission.check_permission(user)
 
 
 ########## Resource Mixin ##########
diff --git a/djangorestframework/permissions.py b/djangorestframework/permissions.py
index a6edb1919..dfe55ce94 100644
--- a/djangorestframework/permissions.py
+++ b/djangorestframework/permissions.py
@@ -41,7 +41,7 @@ class BasePermission(object):
         """
         self.view = view
 
-    def check_permission(self, auth, test_methods=None, **kwargs):
+    def check_permission(self, auth):
         """
         Should simply return, or raise an :exc:`response.ErrorResponse`.
         """
@@ -53,7 +53,7 @@ class FullAnonAccess(BasePermission):
     Allows full access.
     """
 
-    def check_permission(self, user, test_methods=None, **kwargs):
+    def check_permission(self, user):
         pass
 
 
@@ -62,7 +62,7 @@ class IsAuthenticated(BasePermission):
     Allows access only to authenticated users.
     """
 
-    def check_permission(self, user, test_methods=None, **kwargs):
+    def check_permission(self, user):
         if not user.is_authenticated():
             raise _403_FORBIDDEN_RESPONSE
 
@@ -72,7 +72,7 @@ class IsAdminUser(BasePermission):
     Allows access only to admin users.
     """
 
-    def check_permission(self, user, test_methods=None, **kwargs):
+    def check_permission(self, user):
         if not user.is_staff:
             raise _403_FORBIDDEN_RESPONSE
 
@@ -82,9 +82,10 @@ class IsUserOrIsAnonReadOnly(BasePermission):
     The request is authenticated as a user, or is a read-only request.
     """
 
-    def check_permission(self, user, test_methods=None, **kwargs):
-        if not test_methods: test_methods = [self.view.method]
-        if not user.is_authenticated() and not set(['GET', 'HEAD']).issuperset(test_methods):
+    def check_permission(self, user):
+        if (not user.is_authenticated() and
+            self.view.method != 'GET' and
+            self.view.method != 'HEAD'):
             raise _403_FORBIDDEN_RESPONSE
 
 
@@ -112,15 +113,11 @@ class BaseThrottle(BasePermission):
         """
         pass
 
-    def check_permission(self, auth, test_methods=None, **kwargs):
+    def check_permission(self, auth):
         """
         Check the throttling.
         Return `None` or raise an :exc:`.ErrorResponse`.
         """
-
-        # Return if just testing the permission.
-        if test_methods: return
-
         num, period = getattr(self.view, self.attr_name, self.default).split('/')
         self.num_requests = int(num)
         self.duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]
diff --git a/djangorestframework/renderers.py b/djangorestframework/renderers.py
index aab6a20ba..bb0f789aa 100644
--- a/djangorestframework/renderers.py
+++ b/djangorestframework/renderers.py
@@ -17,7 +17,6 @@ from djangorestframework.utils import dict2xml, url_resolves
 from djangorestframework.utils.breadcrumbs import get_breadcrumbs
 from djangorestframework.utils.mediatypes import get_media_type_params, add_media_type_param, media_type_matches
 from djangorestframework import VERSION
-from djangorestframework.response import ErrorResponse
 
 import string
 from urllib import quote_plus
@@ -233,13 +232,6 @@ class DocumentingTemplateRenderer(BaseRenderer):
         provide a form that can be used to submit arbitrary content.
         """
 
-        # Return no form if user doesn't have write access to this view
-        if hasattr(view, '_check_permissions'):
-            try:
-                view._check_permissions(test_methods=('POST', 'PUT', 'DELETE', 'PATCH',))
-            except ErrorResponse:
-                return None
-
         # Get the form instance if we have one bound to the input
         form_instance = None
         if method == getattr(view, 'method', view.request.method).lower():
diff --git a/djangorestframework/templates/renderer.html b/djangorestframework/templates/renderer.html
index 5b80f11da..e396a58f5 100644
--- a/djangorestframework/templates/renderer.html
+++ b/djangorestframework/templates/renderer.html
@@ -65,7 +65,7 @@
 	{# Only display the POST/PUT/DELETE forms if method tunneling via POST forms is enabled and the user has permissions on this view. #}
 	{% if METHOD_PARAM and response.status != 403 %}
 
-		{% if 'POST' in view.allowed_methods and post_form %}
+		{% if 'POST' in view.allowed_methods %}
 				<form action="{{ request.get_full_path }}" method="post" {% if post_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>POST {{ name }}</h2>
@@ -86,7 +86,7 @@
 				</form>
 		{% endif %}
 
-		{% if 'PUT' in view.allowed_methods and put_form %}
+		{% if 'PUT' in view.allowed_methods %}
 				<form action="{{ request.get_full_path }}" method="post" {% if put_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>PUT {{ name }}</h2>

From ae1f0c9b5b9b30b2885c3fcd6fdb9cc646ea4c82 Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Fri, 10 Feb 2012 22:22:01 +0100
Subject: [PATCH 7/9] Permissions can be checked with arbitrary HTTP methods,
 only views on which the user has write access display forms

---
 djangorestframework/mixins.py               |  4 ++--
 djangorestframework/permissions.py          | 21 ++++++++++++---------
 djangorestframework/renderers.py            |  8 ++++++++
 djangorestframework/templates/renderer.html |  4 ++--
 4 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/djangorestframework/mixins.py b/djangorestframework/mixins.py
index f4a9c998a..1cb7d5f13 100644
--- a/djangorestframework/mixins.py
+++ b/djangorestframework/mixins.py
@@ -361,14 +361,14 @@ class AuthMixin(object):
         return AnonymousUser()
 
     # TODO: wrap this behavior around dispatch()
-    def _check_permissions(self):
+    def _check_permissions(self, test_methods=None):
         """
         Check user permissions and either raise an ``ErrorResponse`` or return.
         """
         user = self.user
         for permission_cls in self.permissions:
             permission = permission_cls(self)
-            permission.check_permission(user)
+            permission.check_permission(user, test_methods=test_methods)
 
 
 ########## Resource Mixin ##########
diff --git a/djangorestframework/permissions.py b/djangorestframework/permissions.py
index dfe55ce94..a6edb1919 100644
--- a/djangorestframework/permissions.py
+++ b/djangorestframework/permissions.py
@@ -41,7 +41,7 @@ class BasePermission(object):
         """
         self.view = view
 
-    def check_permission(self, auth):
+    def check_permission(self, auth, test_methods=None, **kwargs):
         """
         Should simply return, or raise an :exc:`response.ErrorResponse`.
         """
@@ -53,7 +53,7 @@ class FullAnonAccess(BasePermission):
     Allows full access.
     """
 
-    def check_permission(self, user):
+    def check_permission(self, user, test_methods=None, **kwargs):
         pass
 
 
@@ -62,7 +62,7 @@ class IsAuthenticated(BasePermission):
     Allows access only to authenticated users.
     """
 
-    def check_permission(self, user):
+    def check_permission(self, user, test_methods=None, **kwargs):
         if not user.is_authenticated():
             raise _403_FORBIDDEN_RESPONSE
 
@@ -72,7 +72,7 @@ class IsAdminUser(BasePermission):
     Allows access only to admin users.
     """
 
-    def check_permission(self, user):
+    def check_permission(self, user, test_methods=None, **kwargs):
         if not user.is_staff:
             raise _403_FORBIDDEN_RESPONSE
 
@@ -82,10 +82,9 @@ class IsUserOrIsAnonReadOnly(BasePermission):
     The request is authenticated as a user, or is a read-only request.
     """
 
-    def check_permission(self, user):
-        if (not user.is_authenticated() and
-            self.view.method != 'GET' and
-            self.view.method != 'HEAD'):
+    def check_permission(self, user, test_methods=None, **kwargs):
+        if not test_methods: test_methods = [self.view.method]
+        if not user.is_authenticated() and not set(['GET', 'HEAD']).issuperset(test_methods):
             raise _403_FORBIDDEN_RESPONSE
 
 
@@ -113,11 +112,15 @@ class BaseThrottle(BasePermission):
         """
         pass
 
-    def check_permission(self, auth):
+    def check_permission(self, auth, test_methods=None, **kwargs):
         """
         Check the throttling.
         Return `None` or raise an :exc:`.ErrorResponse`.
         """
+
+        # Return if just testing the permission.
+        if test_methods: return
+
         num, period = getattr(self.view, self.attr_name, self.default).split('/')
         self.num_requests = int(num)
         self.duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]
diff --git a/djangorestframework/renderers.py b/djangorestframework/renderers.py
index bb0f789aa..aab6a20ba 100644
--- a/djangorestframework/renderers.py
+++ b/djangorestframework/renderers.py
@@ -17,6 +17,7 @@ from djangorestframework.utils import dict2xml, url_resolves
 from djangorestframework.utils.breadcrumbs import get_breadcrumbs
 from djangorestframework.utils.mediatypes import get_media_type_params, add_media_type_param, media_type_matches
 from djangorestframework import VERSION
+from djangorestframework.response import ErrorResponse
 
 import string
 from urllib import quote_plus
@@ -232,6 +233,13 @@ class DocumentingTemplateRenderer(BaseRenderer):
         provide a form that can be used to submit arbitrary content.
         """
 
+        # Return no form if user doesn't have write access to this view
+        if hasattr(view, '_check_permissions'):
+            try:
+                view._check_permissions(test_methods=('POST', 'PUT', 'DELETE', 'PATCH',))
+            except ErrorResponse:
+                return None
+
         # Get the form instance if we have one bound to the input
         form_instance = None
         if method == getattr(view, 'method', view.request.method).lower():
diff --git a/djangorestframework/templates/renderer.html b/djangorestframework/templates/renderer.html
index e396a58f5..5b80f11da 100644
--- a/djangorestframework/templates/renderer.html
+++ b/djangorestframework/templates/renderer.html
@@ -65,7 +65,7 @@
 	{# Only display the POST/PUT/DELETE forms if method tunneling via POST forms is enabled and the user has permissions on this view. #}
 	{% if METHOD_PARAM and response.status != 403 %}
 
-		{% if 'POST' in view.allowed_methods %}
+		{% if 'POST' in view.allowed_methods and post_form %}
 				<form action="{{ request.get_full_path }}" method="post" {% if post_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>POST {{ name }}</h2>
@@ -86,7 +86,7 @@
 				</form>
 		{% endif %}
 
-		{% if 'PUT' in view.allowed_methods %}
+		{% if 'PUT' in view.allowed_methods and put_form %}
 				<form action="{{ request.get_full_path }}" method="post" {% if put_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>PUT {{ name }}</h2>

From c42c72c8bf46a2eec08ea7bfd654e1a6f450d26b Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Fri, 10 Feb 2012 22:23:46 +0100
Subject: [PATCH 8/9] Revert "Permissions can be checked with arbitrary HTTP
 methods, only views on which the user has write access display forms"

This reverts commit ae1f0c9b5b9b30b2885c3fcd6fdb9cc646ea4c82.
---
 djangorestframework/mixins.py               |  4 ++--
 djangorestframework/permissions.py          | 21 +++++++++------------
 djangorestframework/renderers.py            |  8 --------
 djangorestframework/templates/renderer.html |  4 ++--
 4 files changed, 13 insertions(+), 24 deletions(-)

diff --git a/djangorestframework/mixins.py b/djangorestframework/mixins.py
index 1cb7d5f13..f4a9c998a 100644
--- a/djangorestframework/mixins.py
+++ b/djangorestframework/mixins.py
@@ -361,14 +361,14 @@ class AuthMixin(object):
         return AnonymousUser()
 
     # TODO: wrap this behavior around dispatch()
-    def _check_permissions(self, test_methods=None):
+    def _check_permissions(self):
         """
         Check user permissions and either raise an ``ErrorResponse`` or return.
         """
         user = self.user
         for permission_cls in self.permissions:
             permission = permission_cls(self)
-            permission.check_permission(user, test_methods=test_methods)
+            permission.check_permission(user)
 
 
 ########## Resource Mixin ##########
diff --git a/djangorestframework/permissions.py b/djangorestframework/permissions.py
index a6edb1919..dfe55ce94 100644
--- a/djangorestframework/permissions.py
+++ b/djangorestframework/permissions.py
@@ -41,7 +41,7 @@ class BasePermission(object):
         """
         self.view = view
 
-    def check_permission(self, auth, test_methods=None, **kwargs):
+    def check_permission(self, auth):
         """
         Should simply return, or raise an :exc:`response.ErrorResponse`.
         """
@@ -53,7 +53,7 @@ class FullAnonAccess(BasePermission):
     Allows full access.
     """
 
-    def check_permission(self, user, test_methods=None, **kwargs):
+    def check_permission(self, user):
         pass
 
 
@@ -62,7 +62,7 @@ class IsAuthenticated(BasePermission):
     Allows access only to authenticated users.
     """
 
-    def check_permission(self, user, test_methods=None, **kwargs):
+    def check_permission(self, user):
         if not user.is_authenticated():
             raise _403_FORBIDDEN_RESPONSE
 
@@ -72,7 +72,7 @@ class IsAdminUser(BasePermission):
     Allows access only to admin users.
     """
 
-    def check_permission(self, user, test_methods=None, **kwargs):
+    def check_permission(self, user):
         if not user.is_staff:
             raise _403_FORBIDDEN_RESPONSE
 
@@ -82,9 +82,10 @@ class IsUserOrIsAnonReadOnly(BasePermission):
     The request is authenticated as a user, or is a read-only request.
     """
 
-    def check_permission(self, user, test_methods=None, **kwargs):
-        if not test_methods: test_methods = [self.view.method]
-        if not user.is_authenticated() and not set(['GET', 'HEAD']).issuperset(test_methods):
+    def check_permission(self, user):
+        if (not user.is_authenticated() and
+            self.view.method != 'GET' and
+            self.view.method != 'HEAD'):
             raise _403_FORBIDDEN_RESPONSE
 
 
@@ -112,15 +113,11 @@ class BaseThrottle(BasePermission):
         """
         pass
 
-    def check_permission(self, auth, test_methods=None, **kwargs):
+    def check_permission(self, auth):
         """
         Check the throttling.
         Return `None` or raise an :exc:`.ErrorResponse`.
         """
-
-        # Return if just testing the permission.
-        if test_methods: return
-
         num, period = getattr(self.view, self.attr_name, self.default).split('/')
         self.num_requests = int(num)
         self.duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]
diff --git a/djangorestframework/renderers.py b/djangorestframework/renderers.py
index aab6a20ba..bb0f789aa 100644
--- a/djangorestframework/renderers.py
+++ b/djangorestframework/renderers.py
@@ -17,7 +17,6 @@ from djangorestframework.utils import dict2xml, url_resolves
 from djangorestframework.utils.breadcrumbs import get_breadcrumbs
 from djangorestframework.utils.mediatypes import get_media_type_params, add_media_type_param, media_type_matches
 from djangorestframework import VERSION
-from djangorestframework.response import ErrorResponse
 
 import string
 from urllib import quote_plus
@@ -233,13 +232,6 @@ class DocumentingTemplateRenderer(BaseRenderer):
         provide a form that can be used to submit arbitrary content.
         """
 
-        # Return no form if user doesn't have write access to this view
-        if hasattr(view, '_check_permissions'):
-            try:
-                view._check_permissions(test_methods=('POST', 'PUT', 'DELETE', 'PATCH',))
-            except ErrorResponse:
-                return None
-
         # Get the form instance if we have one bound to the input
         form_instance = None
         if method == getattr(view, 'method', view.request.method).lower():
diff --git a/djangorestframework/templates/renderer.html b/djangorestframework/templates/renderer.html
index 5b80f11da..e396a58f5 100644
--- a/djangorestframework/templates/renderer.html
+++ b/djangorestframework/templates/renderer.html
@@ -65,7 +65,7 @@
 	{# Only display the POST/PUT/DELETE forms if method tunneling via POST forms is enabled and the user has permissions on this view. #}
 	{% if METHOD_PARAM and response.status != 403 %}
 
-		{% if 'POST' in view.allowed_methods and post_form %}
+		{% if 'POST' in view.allowed_methods %}
 				<form action="{{ request.get_full_path }}" method="post" {% if post_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>POST {{ name }}</h2>
@@ -86,7 +86,7 @@
 				</form>
 		{% endif %}
 
-		{% if 'PUT' in view.allowed_methods and put_form %}
+		{% if 'PUT' in view.allowed_methods %}
 				<form action="{{ request.get_full_path }}" method="post" {% if put_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>PUT {{ name }}</h2>

From eb11dd5803fb6f10993a87e3e927be0a0564f5ea Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Fri, 10 Feb 2012 23:16:27 +0100
Subject: [PATCH 9/9] Remove  type error  in Resource's .get_bound_form()

---
 djangorestframework/resources.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/djangorestframework/resources.py b/djangorestframework/resources.py
index feb35cdc9..5cbfbdab6 100644
--- a/djangorestframework/resources.py
+++ b/djangorestframework/resources.py
@@ -311,7 +311,7 @@ class ModelResource(FormResource):
         # Instantiate the ModelForm as appropriate
         form_kwargs = {'data': data, 'files': files}
          # Bound to an existing model instance
-        if issubclass(form, forms.ModelForm) and if hasattr(self.view, 'model_instance'): form_kwargs['instance'] = self.view.model_instance
+        if issubclass(form, forms.ModelForm) and hasattr(self.view, 'model_instance'): form_kwargs['instance'] = self.view.model_instance
 
         return form(**form_kwargs)