encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-11-04 09:57:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

Ensure Django{Model,Object}Permissions don't hide exceptions.

Browse Source 
Quietly catching `AttributeError` and `TypeError` when calling
`get_queryset()` is rather insidious, as those exceptions get caught no
matter where they might happen in the call stack.
This commit is contained in:
Aarni Koskela 2015-11-24 14:44:00 +02:00
parent 200dda91ac
commit 69688289ce
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
rest_framework/permissions.py
View File

@ -112,15 +112,15 @@ class DjangoModelPermissions(BasePermission):
if getattr(view, '_ignore_model_permissions', False): if getattr(view, '_ignore_model_permissions', False):
return True return True
try: if hasattr(view, 'get_queryset'):
queryset = view.get_queryset() queryset = view.get_queryset()
except AttributeError: else:
queryset = getattr(view, 'queryset', None) queryset = getattr(view, 'queryset', None)
assert queryset is not None, ( assert queryset is not None, (
'Cannot apply DjangoModelPermissions on a view that ' 'Cannot apply DjangoModelPermissions on a view that '
'does not have `.queryset` property or overrides the ' 'does not set `.queryset` or have a `.get_queryset()` method.'
'`.get_queryset()` method.') )
perms = self.get_required_permissions(request.method, queryset.model) perms = self.get_required_permissions(request.method, queryset.model)
@ -169,15 +169,15 @@ class DjangoObjectPermissions(DjangoModelPermissions):
return [perm % kwargs for perm in self.perms_map[method]] return [perm % kwargs for perm in self.perms_map[method]]
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
try: if hasattr(view, 'get_queryset'):
queryset = view.get_queryset() queryset = view.get_queryset()
except AttributeError: else:
queryset = getattr(view, 'queryset', None) queryset = getattr(view, 'queryset', None)
assert queryset is not None, ( assert queryset is not None, (
'Cannot apply DjangoObjectPermissions on a view that ' 'Cannot apply DjangoObjectPermissions on a view that '
'does not have `.queryset` property or overrides the ' 'does not set `.queryset` or have a `.get_queryset()` method.'
'`.get_queryset()` method.') )
model_cls = queryset.model model_cls = queryset.model
user = request.user user = request.user