mirror of
https://github.com/encode/django-rest-framework.git
synced 2025-08-04 04:20:12 +03:00
+ Rejecting anonymous in DjangoModelPermissions *before* the .get_queryset call
This commit is contained in:
parent
1c4d277f53
commit
88d49848de
|
@ -120,6 +120,14 @@ class DjangoModelPermissions(BasePermission):
|
|||
if getattr(view, '_ignore_model_permissions', False):
|
||||
return True
|
||||
|
||||
# For `.get_queryset` to assume that anonymous check was passed
|
||||
# when `authenticated_users_only` is `True`.
|
||||
if (
|
||||
not request.user or
|
||||
(not is_authenticated(request.user) and self.authenticated_users_only)
|
||||
):
|
||||
return False
|
||||
|
||||
if hasattr(view, 'get_queryset'):
|
||||
queryset = view.get_queryset()
|
||||
assert queryset is not None, (
|
||||
|
@ -135,11 +143,7 @@ class DjangoModelPermissions(BasePermission):
|
|||
|
||||
perms = self.get_required_permissions(request.method, queryset.model)
|
||||
|
||||
return (
|
||||
request.user and
|
||||
(is_authenticated(request.user) or not self.authenticated_users_only) and
|
||||
request.user.has_perms(perms)
|
||||
)
|
||||
return request.user.has_perms(perms)
|
||||
|
||||
|
||||
class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):
|
||||
|
|
|
@ -201,11 +201,15 @@ class ModelPermissionsIntegrationTests(TestCase):
|
|||
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||
|
||||
def test_calling_method_not_allowed(self):
|
||||
request = factory.generic('METHOD_NOT_ALLOWED', '/')
|
||||
request = factory.generic(
|
||||
'METHOD_NOT_ALLOWED', '/', HTTP_AUTHORIZATION=self.permitted_credentials
|
||||
)
|
||||
response = root_view(request)
|
||||
self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
|
||||
|
||||
request = factory.generic('METHOD_NOT_ALLOWED', '/1')
|
||||
request = factory.generic(
|
||||
'METHOD_NOT_ALLOWED', '/1', HTTP_AUTHORIZATION=self.permitted_credentials
|
||||
)
|
||||
response = instance_view(request, pk='1')
|
||||
self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
|
||||
|
||||
|
@ -396,7 +400,9 @@ class ObjectPermissionsIntegrationTests(TestCase):
|
|||
self.assertListEqual(response.data, [])
|
||||
|
||||
def test_cannot_method_not_allowed(self):
|
||||
request = factory.generic('METHOD_NOT_ALLOWED', '/')
|
||||
request = factory.generic(
|
||||
'METHOD_NOT_ALLOWED', '/', HTTP_AUTHORIZATION=self.credentials['readonly']
|
||||
)
|
||||
response = object_permissions_list_view(request)
|
||||
self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user