From c8773671e7adfe8e9de162f3215470f0ed879f23 Mon Sep 17 00:00:00 2001 From: Denis Untevskiy Date: Fri, 25 Aug 2017 22:14:33 +0200 Subject: [PATCH] + Rejecting anonymous in DjangoModelPermissions *before* the .get_queryset call --- rest_framework/permissions.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py index 57de3a35c..26728b2d6 100644 --- a/rest_framework/permissions.py +++ b/rest_framework/permissions.py @@ -120,6 +120,10 @@ class DjangoModelPermissions(BasePermission): if getattr(view, '_ignore_model_permissions', False): return True + if not request.user or ( + not is_authenticated(request.user) and self.authenticated_users_only): + return False + if hasattr(view, 'get_queryset'): queryset = view.get_queryset() assert queryset is not None, ( @@ -135,11 +139,7 @@ class DjangoModelPermissions(BasePermission): perms = self.get_required_permissions(request.method, queryset.model) - return ( - request.user and - (is_authenticated(request.user) or not self.authenticated_users_only) and - request.user.has_perms(perms) - ) + return request.user.has_perms(perms) class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):