check authentication after checking ModelResource

2025-11-04 09:57:55 +03:00 · 2012-02-11 01:54:28 +01:00 · 2012-02-11 01:54:28 +01:00 · b236241982
commit b236241982
parent bc80eb266f
1 changed files with 4 additions and 4 deletions
--- a/djangorestframework/permissions.py
+++ b/djangorestframework/permissions.py
@ -99,16 +99,16 @@ class DjangoModelPermisson(BasePermission):
        if self.view.request.method in ('GET', 'OPTIONS', 'HEAD',):
            return

-        # User must be logged in to check permissions.
-        if not hasattr(self.view.request, 'user') or not self.view.request.user.is_authenticated():
-            raise _403_FORBIDDEN_RESPONSE
-
        klass = self.view.resource.model

        # If it doesn't look like a model, we can't check permissions.
        if not klass or not getattr(klass, '_meta', None):
            return

+        # User must be logged in to check permissions.
+        if not hasattr(self.view.request, 'user') or not self.view.request.user.is_authenticated():
+            raise _403_FORBIDDEN_RESPONSE
+
        permission_map = {
            'POST': ['%s.add_%s'],
            'PUT': ['%s.change_%s'],