Revert "Permissions can be checked with arbitrary HTTP methods, only views on which the user has write access display forms"

This reverts commit ae1f0c9b5b.
2025-02-26 16:30:41 +03:00 · 2012-02-10 22:23:46 +01:00 · 2012-02-10 22:23:46 +01:00 · c42c72c8bf
commit c42c72c8bf
parent ae1f0c9b5b
4 changed files with 13 additions and 24 deletions
--- a/djangorestframework/mixins.py
+++ b/djangorestframework/mixins.py
@ -361,14 +361,14 @@ class AuthMixin(object):
        return AnonymousUser()

    # TODO: wrap this behavior around dispatch()
-    def _check_permissions(self, test_methods=None):
+    def _check_permissions(self):
        """
        Check user permissions and either raise an ``ErrorResponse`` or return.
        """
        user = self.user
        for permission_cls in self.permissions:
            permission = permission_cls(self)
-            permission.check_permission(user, test_methods=test_methods)
+            permission.check_permission(user)


 ########## Resource Mixin ##########
--- a/djangorestframework/permissions.py
+++ b/djangorestframework/permissions.py
@ -41,7 +41,7 @@ class BasePermission(object):
        """
        self.view = view

-    def check_permission(self, auth, test_methods=None, **kwargs):
+    def check_permission(self, auth):
        """
        Should simply return, or raise an :exc:`response.ErrorResponse`.
        """
@ -53,7 +53,7 @@ class FullAnonAccess(BasePermission):
    Allows full access.
    """

-    def check_permission(self, user, test_methods=None, **kwargs):
+    def check_permission(self, user):
        pass


@ -62,7 +62,7 @@ class IsAuthenticated(BasePermission):
    Allows access only to authenticated users.
    """

-    def check_permission(self, user, test_methods=None, **kwargs):
+    def check_permission(self, user):
        if not user.is_authenticated():
            raise _403_FORBIDDEN_RESPONSE

@ -72,7 +72,7 @@ class IsAdminUser(BasePermission):
    Allows access only to admin users.
    """

-    def check_permission(self, user, test_methods=None, **kwargs):
+    def check_permission(self, user):
        if not user.is_staff:
            raise _403_FORBIDDEN_RESPONSE

@ -82,9 +82,10 @@ class IsUserOrIsAnonReadOnly(BasePermission):
    The request is authenticated as a user, or is a read-only request.
    """

-    def check_permission(self, user, test_methods=None, **kwargs):
-        if not test_methods: test_methods = [self.view.method]
-        if not user.is_authenticated() and not set(['GET', 'HEAD']).issuperset(test_methods):
+    def check_permission(self, user):
+        if (not user.is_authenticated() and
+            self.view.method != 'GET' and
+            self.view.method != 'HEAD'):
            raise _403_FORBIDDEN_RESPONSE


@ -112,15 +113,11 @@ class BaseThrottle(BasePermission):
        """
        pass

-    def check_permission(self, auth, test_methods=None, **kwargs):
+    def check_permission(self, auth):
        """
        Check the throttling.
        Return `None` or raise an :exc:`.ErrorResponse`.
        """
-
-        # Return if just testing the permission.
-        if test_methods: return
-
        num, period = getattr(self.view, self.attr_name, self.default).split('/')
        self.num_requests = int(num)
        self.duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]
--- a/djangorestframework/renderers.py
+++ b/djangorestframework/renderers.py
@ -17,7 +17,6 @@ from djangorestframework.utils import dict2xml, url_resolves
 from djangorestframework.utils.breadcrumbs import get_breadcrumbs
 from djangorestframework.utils.mediatypes import get_media_type_params, add_media_type_param, media_type_matches
 from djangorestframework import VERSION
-from djangorestframework.response import ErrorResponse

 import string
 from urllib import quote_plus
@ -233,13 +232,6 @@ class DocumentingTemplateRenderer(BaseRenderer):
        provide a form that can be used to submit arbitrary content.
        """

-        # Return no form if user doesn't have write access to this view
-        if hasattr(view, '_check_permissions'):
-            try:
-                view._check_permissions(test_methods=('POST', 'PUT', 'DELETE', 'PATCH',))
-            except ErrorResponse:
-                return None
-
        # Get the form instance if we have one bound to the input
        form_instance = None
        if method == getattr(view, 'method', view.request.method).lower():
--- a/djangorestframework/templates/renderer.html
+++ b/djangorestframework/templates/renderer.html
@ -65,7 +65,7 @@
 	{# Only display the POST/PUT/DELETE forms if method tunneling via POST forms is enabled and the user has permissions on this view. #}
 	{% if METHOD_PARAM and response.status != 403 %}

-		{% if 'POST' in view.allowed_methods and post_form %}
+		{% if 'POST' in view.allowed_methods %}
 				<form action="{{ request.get_full_path }}" method="post" {% if post_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>POST {{ name }}</h2>
@ -86,7 +86,7 @@
 				</form>
 		{% endif %}

-		{% if 'PUT' in view.allowed_methods and put_form %}
+		{% if 'PUT' in view.allowed_methods %}
 				<form action="{{ request.get_full_path }}" method="post" {% if put_form.is_multipart %}enctype="multipart/form-data"{% endif %}>
 				<fieldset class='module aligned'>
 					<h2>PUT {{ name }}</h2>