From a2ff6b7285932ef192877136f3f35589c6470faf Mon Sep 17 00:00:00 2001
From: Darrin Massena <darrin@massena.com>
Date: Tue, 22 Jan 2013 20:18:27 -0800
Subject: [PATCH] bypass permission checks for OPTIONS requests

OPTIONS requests, ala CORS, do not supply authentication arguments.
---
 rest_framework/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rest_framework/views.py b/rest_framework/views.py
index ac9b33855..062a11ce5 100644
--- a/rest_framework/views.py
+++ b/rest_framework/views.py
@@ -294,8 +294,8 @@ class APIView(View):
         """
         self.format_kwarg = self.get_format_suffix(**kwargs)
 
-        # Ensure that the incoming request is permitted
-        if not self.has_permission(request):
+        # Ensure that the incoming request is permitted. OPTIONS requests are always permitted.
+        if request.method != 'OPTIONS' and not self.has_permission(request):
             self.permission_denied(request)
         self.check_throttles(request)