From c2e536bfda6ca65fb3ecd94522ba50ca80279456 Mon Sep 17 00:00:00 2001 From: Nicolas Delaby Date: Wed, 22 Apr 2015 10:18:30 +0200 Subject: [PATCH] Tell DjangoModelPermissions to rely on get_queryset first. --- rest_framework/permissions.py | 8 +++++++- tests/test_permissions.py | 17 +++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py index 8215957e6..22ca2f812 100644 --- a/rest_framework/permissions.py +++ b/rest_framework/permissions.py @@ -107,7 +107,13 @@ class DjangoModelPermissions(BasePermission): return [perm % kwargs for perm in self.perms_map[method]] def has_permission(self, request, view): - queryset = getattr(view, 'queryset', None) + try: + queryset = view.get_queryset() + except AttributeError: + queryset = getattr(view, 'queryset', None) + except AssertionError: + # view.get_queryset() didn't find .queryset + queryset = None # Workaround to ensure DjangoModelPermissions are not applied # to the root view when using DefaultRouter. diff --git a/tests/test_permissions.py b/tests/test_permissions.py index 97bac33db..223100a78 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -31,8 +31,19 @@ class InstanceView(generics.RetrieveUpdateDestroyAPIView): authentication_classes = [authentication.BasicAuthentication] permission_classes = [permissions.DjangoModelPermissions] + +class GetQuerySetListView(generics.ListCreateAPIView): + serializer_class = BasicSerializer + authentication_classes = [authentication.BasicAuthentication] + permission_classes = [permissions.DjangoModelPermissions] + + def get_queryset(self): + return BasicModel.objects.all() + + root_view = RootView.as_view() instance_view = InstanceView.as_view() +get_queryset_list_view = GetQuerySetListView.as_view() def basic_auth_header(username, password): @@ -67,6 +78,12 @@ class ModelPermissionsIntegrationTests(TestCase): response = root_view(request, pk=1) self.assertEqual(response.status_code, status.HTTP_201_CREATED) + def test_get_queryset_has_create_permissions(self): + request = factory.post('/', {'text': 'foobar'}, format='json', + HTTP_AUTHORIZATION=self.permitted_credentials) + response = get_queryset_list_view(request, pk=1) + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + def test_has_put_permissions(self): request = factory.put('/1', {'text': 'foobar'}, format='json', HTTP_AUTHORIZATION=self.permitted_credentials)