Fix #8771 - Checking for authentication even if _ignore_model_permissions = True (#8772)

This commit is contained in:
Denny Biasiolli 2022-11-22 15:21:16 +01:00 committed by GitHub
parent b87699c034
commit c0d95cb967
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 4 deletions

View File

@ -228,15 +228,15 @@ class DjangoModelPermissions(BasePermission):
return view.queryset return view.queryset
def has_permission(self, request, view): def has_permission(self, request, view):
if not request.user or (
not request.user.is_authenticated and self.authenticated_users_only):
return False
# Workaround to ensure DjangoModelPermissions are not applied # Workaround to ensure DjangoModelPermissions are not applied
# to the root view when using DefaultRouter. # to the root view when using DefaultRouter.
if getattr(view, '_ignore_model_permissions', False): if getattr(view, '_ignore_model_permissions', False):
return True return True
if not request.user or (
not request.user.is_authenticated and self.authenticated_users_only):
return False
queryset = self._queryset(view) queryset = self._queryset(view)
perms = self.get_required_permissions(request.method, queryset.model) perms = self.get_required_permissions(request.method, queryset.model)

View File

@ -55,11 +55,16 @@ class EmptyListView(generics.ListCreateAPIView):
permission_classes = [permissions.DjangoModelPermissions] permission_classes = [permissions.DjangoModelPermissions]
class IgnoredGetQuerySetListView(GetQuerySetListView):
_ignore_model_permissions = True
root_view = RootView.as_view() root_view = RootView.as_view()
api_root_view = DefaultRouter().get_api_root_view() api_root_view = DefaultRouter().get_api_root_view()
instance_view = InstanceView.as_view() instance_view = InstanceView.as_view()
get_queryset_list_view = GetQuerySetListView.as_view() get_queryset_list_view = GetQuerySetListView.as_view()
empty_list_view = EmptyListView.as_view() empty_list_view = EmptyListView.as_view()
ignored_get_queryset_list_view = IgnoredGetQuerySetListView.as_view()
def basic_auth_header(username, password): def basic_auth_header(username, password):
@ -107,6 +112,27 @@ class ModelPermissionsIntegrationTests(TestCase):
response = api_root_view(request) response = api_root_view(request)
self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_ignore_model_permissions_with_unauthenticated_user(self):
"""
We check that the ``_ignore_model_permissions`` attribute
doesn't ignore the authentication.
"""
request = factory.get('/', format='json')
request.resolver_match = ResolverMatch('get', (), {})
response = ignored_get_queryset_list_view(request)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_ignore_model_permissions_with_authenticated_user(self):
"""
We check that the ``_ignore_model_permissions`` attribute
with an authenticated user.
"""
request = factory.get('/', format='json',
HTTP_AUTHORIZATION=self.permitted_credentials)
request.resolver_match = ResolverMatch('get', (), {})
response = ignored_get_queryset_list_view(request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_get_queryset_has_create_permissions(self): def test_get_queryset_has_create_permissions(self):
request = factory.post('/', {'text': 'foobar'}, format='json', request = factory.post('/', {'text': 'foobar'}, format='json',
HTTP_AUTHORIZATION=self.permitted_credentials) HTTP_AUTHORIZATION=self.permitted_credentials)