Tell DjangoModelPermissions to rely on get_queryset first.

2025-01-23 15:54:16 +03:00 · 2015-04-22 10:18:30 +02:00 · 2015-04-22 10:18:30 +02:00 · c2e536bfda
commit c2e536bfda
parent 0ca1145456
2 changed files with 24 additions and 1 deletions
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@ -107,7 +107,13 @@ class DjangoModelPermissions(BasePermission):
        return [perm % kwargs for perm in self.perms_map[method]]

    def has_permission(self, request, view):
-        queryset = getattr(view, 'queryset', None)
+        try:
+            queryset = view.get_queryset()
+        except AttributeError:
+            queryset = getattr(view, 'queryset', None)
+        except AssertionError:
+            # view.get_queryset() didn't find .queryset
+            queryset = None

        # Workaround to ensure DjangoModelPermissions are not applied
        # to the root view when using DefaultRouter.
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@ -31,8 +31,19 @@ class InstanceView(generics.RetrieveUpdateDestroyAPIView):
    authentication_classes = [authentication.BasicAuthentication]
    permission_classes = [permissions.DjangoModelPermissions]

+
+class GetQuerySetListView(generics.ListCreateAPIView):
+    serializer_class = BasicSerializer
+    authentication_classes = [authentication.BasicAuthentication]
+    permission_classes = [permissions.DjangoModelPermissions]
+
+    def get_queryset(self):
+        return BasicModel.objects.all()
+
+
 root_view = RootView.as_view()
 instance_view = InstanceView.as_view()
+get_queryset_list_view = GetQuerySetListView.as_view()


 def basic_auth_header(username, password):
@ -67,6 +78,12 @@ class ModelPermissionsIntegrationTests(TestCase):
        response = root_view(request, pk=1)
        self.assertEqual(response.status_code, status.HTTP_201_CREATED)

+    def test_get_queryset_has_create_permissions(self):
+        request = factory.post('/', {'text': 'foobar'}, format='json',
+                               HTTP_AUTHORIZATION=self.permitted_credentials)
+        response = get_queryset_list_view(request, pk=1)
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+
    def test_has_put_permissions(self):
        request = factory.put('/1', {'text': 'foobar'}, format='json',
                              HTTP_AUTHORIZATION=self.permitted_credentials)