encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-02-26 16:30:41 +03:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Permissions can be checked with arbitrary HTTP methods, only views on which the user has write access display forms"

Browse Source 
This reverts commit ae1f0c9b5b.
This commit is contained in:
Camille Harang 2012-02-10 22:23:46 +01:00
parent ae1f0c9b5b
commit c42c72c8bf
4 changed files with 13 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
djangorestframework/mixins.py
View File

@ -361,14 +361,14 @@ class AuthMixin(object):
return AnonymousUser() return AnonymousUser()
# TODO: wrap this behavior around dispatch() # TODO: wrap this behavior around dispatch()
def _check_permissions(self, test_methods=None): def _check_permissions(self):
""" """
Check user permissions and either raise an ``ErrorResponse`` or return. Check user permissions and either raise an ``ErrorResponse`` or return.
""" """
user = self.user user = self.user
for permission_cls in self.permissions: for permission_cls in self.permissions:
permission = permission_cls(self) permission = permission_cls(self)
permission.check_permission(user, test_methods=test_methods) permission.check_permission(user)
########## Resource Mixin ########## ########## Resource Mixin ##########

21
djangorestframework/permissions.py
View File

@ -41,7 +41,7 @@ class BasePermission(object):
""" """
self.view = view self.view = view
def check_permission(self, auth, test_methods=None, **kwargs): def check_permission(self, auth):
""" """
Should simply return, or raise an :exc:`response.ErrorResponse`. Should simply return, or raise an :exc:`response.ErrorResponse`.
""" """
@ -53,7 +53,7 @@ class FullAnonAccess(BasePermission):
Allows full access. Allows full access.
""" """
def check_permission(self, user, test_methods=None, **kwargs): def check_permission(self, user):
pass pass
@ -62,7 +62,7 @@ class IsAuthenticated(BasePermission):
Allows access only to authenticated users. Allows access only to authenticated users.
""" """
def check_permission(self, user, test_methods=None, **kwargs): def check_permission(self, user):
if not user.is_authenticated(): if not user.is_authenticated():
raise _403_FORBIDDEN_RESPONSE raise _403_FORBIDDEN_RESPONSE
@ -72,7 +72,7 @@ class IsAdminUser(BasePermission):
Allows access only to admin users. Allows access only to admin users.
""" """
def check_permission(self, user, test_methods=None, **kwargs): def check_permission(self, user):
if not user.is_staff: if not user.is_staff:
raise _403_FORBIDDEN_RESPONSE raise _403_FORBIDDEN_RESPONSE
@ -82,9 +82,10 @@ class IsUserOrIsAnonReadOnly(BasePermission):
The request is authenticated as a user, or is a read-only request. The request is authenticated as a user, or is a read-only request.
""" """
def check_permission(self, user, test_methods=None, **kwargs): def check_permission(self, user):
if not test_methods: test_methods = [self.view.method] if (not user.is_authenticated() and
if not user.is_authenticated() and not set(['GET', 'HEAD']).issuperset(test_methods): self.view.method != 'GET' and
self.view.method != 'HEAD'):
raise _403_FORBIDDEN_RESPONSE raise _403_FORBIDDEN_RESPONSE
@ -112,15 +113,11 @@ class BaseThrottle(BasePermission):
""" """
pass pass
def check_permission(self, auth, test_methods=None, **kwargs): def check_permission(self, auth):
""" """
Check the throttling. Check the throttling.
Return `None` or raise an :exc:`.ErrorResponse`. Return `None` or raise an :exc:`.ErrorResponse`.
""" """
# Return if just testing the permission.
if test_methods: return
num, period = getattr(self.view, self.attr_name, self.default).split('/') num, period = getattr(self.view, self.attr_name, self.default).split('/')
self.num_requests = int(num) self.num_requests = int(num)
self.duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]] self.duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]

8
djangorestframework/renderers.py
View File

@ -17,7 +17,6 @@ from djangorestframework.utils import dict2xml, url_resolves
from djangorestframework.utils.breadcrumbs import get_breadcrumbs from djangorestframework.utils.breadcrumbs import get_breadcrumbs
from djangorestframework.utils.mediatypes import get_media_type_params, add_media_type_param, media_type_matches from djangorestframework.utils.mediatypes import get_media_type_params, add_media_type_param, media_type_matches
from djangorestframework import VERSION from djangorestframework import VERSION
from djangorestframework.response import ErrorResponse
import string import string
from urllib import quote_plus from urllib import quote_plus
@ -233,13 +232,6 @@ class DocumentingTemplateRenderer(BaseRenderer):
provide a form that can be used to submit arbitrary content. provide a form that can be used to submit arbitrary content.
""" """
# Return no form if user doesn't have write access to this view
if hasattr(view, '_check_permissions'):
try:
view._check_permissions(test_methods=('POST', 'PUT', 'DELETE', 'PATCH',))
except ErrorResponse:
return None
# Get the form instance if we have one bound to the input # Get the form instance if we have one bound to the input
form_instance = None form_instance = None
if method == getattr(view, 'method', view.request.method).lower(): if method == getattr(view, 'method', view.request.method).lower():

4
djangorestframework/templates/renderer.html
View File

@ -65,7 +65,7 @@
{# Only display the POST/PUT/DELETE forms if method tunneling via POST forms is enabled and the user has permissions on this view. #} {# Only display the POST/PUT/DELETE forms if method tunneling via POST forms is enabled and the user has permissions on this view. #}
{% if METHOD_PARAM and response.status != 403 %} {% if METHOD_PARAM and response.status != 403 %}
{% if 'POST' in view.allowed_methods and post_form %} {% if 'POST' in view.allowed_methods %}
<form action="{{ request.get_full_path }}" method="post" {% if post_form.is_multipart %}enctype="multipart/form-data"{% endif %}> <form action="{{ request.get_full_path }}" method="post" {% if post_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
<fieldset class='module aligned'> <fieldset class='module aligned'>
<h2>POST {{ name }}</h2> <h2>POST {{ name }}</h2>
@ -86,7 +86,7 @@
</form> </form>
{% endif %} {% endif %}
{% if 'PUT' in view.allowed_methods and put_form %} {% if 'PUT' in view.allowed_methods %}
<form action="{{ request.get_full_path }}" method="post" {% if put_form.is_multipart %}enctype="multipart/form-data"{% endif %}> <form action="{{ request.get_full_path }}" method="post" {% if put_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
<fieldset class='module aligned'> <fieldset class='module aligned'>
<h2>PUT {{ name }}</h2> <h2>PUT {{ name }}</h2>