encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2024-11-23 01:57:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

+ Rejecting anonymous in DjangoModelPermissions *before* the .get_queryset call

Browse Source
This commit is contained in:
Denis Untevskiy 2017-08-25 22:14:33 +02:00 committed by Ryan P Kilby
parent 2ea368e80f
commit c8773671e7
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rest_framework/permissions.py
View File

@ -120,6 +120,10 @@ class DjangoModelPermissions(BasePermission):
if getattr(view, '_ignore_model_permissions', False): if getattr(view, '_ignore_model_permissions', False):
return True return True
if not request.user or (
not is_authenticated(request.user) and self.authenticated_users_only):
return False
if hasattr(view, 'get_queryset'): if hasattr(view, 'get_queryset'):
queryset = view.get_queryset() queryset = view.get_queryset()
assert queryset is not None, ( assert queryset is not None, (
@ -135,11 +139,7 @@ class DjangoModelPermissions(BasePermission):
perms = self.get_required_permissions(request.method, queryset.model) perms = self.get_required_permissions(request.method, queryset.model)
return ( return request.user.has_perms(perms)
request.user and
(is_authenticated(request.user) or not self.authenticated_users_only) and
request.user.has_perms(perms)
)
class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions): class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):