mirror of
https://github.com/encode/django-rest-framework.git
synced 2024-11-25 11:04:02 +03:00
This commit is contained in:
parent
b87699c034
commit
c0d95cb967
|
@ -228,15 +228,15 @@ class DjangoModelPermissions(BasePermission):
|
||||||
return view.queryset
|
return view.queryset
|
||||||
|
|
||||||
def has_permission(self, request, view):
|
def has_permission(self, request, view):
|
||||||
|
if not request.user or (
|
||||||
|
not request.user.is_authenticated and self.authenticated_users_only):
|
||||||
|
return False
|
||||||
|
|
||||||
# Workaround to ensure DjangoModelPermissions are not applied
|
# Workaround to ensure DjangoModelPermissions are not applied
|
||||||
# to the root view when using DefaultRouter.
|
# to the root view when using DefaultRouter.
|
||||||
if getattr(view, '_ignore_model_permissions', False):
|
if getattr(view, '_ignore_model_permissions', False):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
if not request.user or (
|
|
||||||
not request.user.is_authenticated and self.authenticated_users_only):
|
|
||||||
return False
|
|
||||||
|
|
||||||
queryset = self._queryset(view)
|
queryset = self._queryset(view)
|
||||||
perms = self.get_required_permissions(request.method, queryset.model)
|
perms = self.get_required_permissions(request.method, queryset.model)
|
||||||
|
|
||||||
|
|
|
@ -55,11 +55,16 @@ class EmptyListView(generics.ListCreateAPIView):
|
||||||
permission_classes = [permissions.DjangoModelPermissions]
|
permission_classes = [permissions.DjangoModelPermissions]
|
||||||
|
|
||||||
|
|
||||||
|
class IgnoredGetQuerySetListView(GetQuerySetListView):
|
||||||
|
_ignore_model_permissions = True
|
||||||
|
|
||||||
|
|
||||||
root_view = RootView.as_view()
|
root_view = RootView.as_view()
|
||||||
api_root_view = DefaultRouter().get_api_root_view()
|
api_root_view = DefaultRouter().get_api_root_view()
|
||||||
instance_view = InstanceView.as_view()
|
instance_view = InstanceView.as_view()
|
||||||
get_queryset_list_view = GetQuerySetListView.as_view()
|
get_queryset_list_view = GetQuerySetListView.as_view()
|
||||||
empty_list_view = EmptyListView.as_view()
|
empty_list_view = EmptyListView.as_view()
|
||||||
|
ignored_get_queryset_list_view = IgnoredGetQuerySetListView.as_view()
|
||||||
|
|
||||||
|
|
||||||
def basic_auth_header(username, password):
|
def basic_auth_header(username, password):
|
||||||
|
@ -107,6 +112,27 @@ class ModelPermissionsIntegrationTests(TestCase):
|
||||||
response = api_root_view(request)
|
response = api_root_view(request)
|
||||||
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
|
||||||
|
def test_ignore_model_permissions_with_unauthenticated_user(self):
|
||||||
|
"""
|
||||||
|
We check that the ``_ignore_model_permissions`` attribute
|
||||||
|
doesn't ignore the authentication.
|
||||||
|
"""
|
||||||
|
request = factory.get('/', format='json')
|
||||||
|
request.resolver_match = ResolverMatch('get', (), {})
|
||||||
|
response = ignored_get_queryset_list_view(request)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
|
||||||
|
|
||||||
|
def test_ignore_model_permissions_with_authenticated_user(self):
|
||||||
|
"""
|
||||||
|
We check that the ``_ignore_model_permissions`` attribute
|
||||||
|
with an authenticated user.
|
||||||
|
"""
|
||||||
|
request = factory.get('/', format='json',
|
||||||
|
HTTP_AUTHORIZATION=self.permitted_credentials)
|
||||||
|
request.resolver_match = ResolverMatch('get', (), {})
|
||||||
|
response = ignored_get_queryset_list_view(request)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
|
||||||
def test_get_queryset_has_create_permissions(self):
|
def test_get_queryset_has_create_permissions(self):
|
||||||
request = factory.post('/', {'text': 'foobar'}, format='json',
|
request = factory.post('/', {'text': 'foobar'}, format='json',
|
||||||
HTTP_AUTHORIZATION=self.permitted_credentials)
|
HTTP_AUTHORIZATION=self.permitted_credentials)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user