diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py index 71de226f9..07c0231c5 100644 --- a/rest_framework/permissions.py +++ b/rest_framework/permissions.py @@ -186,9 +186,9 @@ class DjangoModelPermissions(BasePermission): # Override this if you need to also provide 'view' permissions, # or if you want to provide custom permission codes. perms_map = { - 'GET': [], + 'GET': ['%(app_label)s.view_%(model_name)s'], 'OPTIONS': [], - 'HEAD': [], + 'HEAD': ['%(app_label)s.view_%(model_name)s'], 'POST': ['%(app_label)s.add_%(model_name)s'], 'PUT': ['%(app_label)s.change_%(model_name)s'], 'PATCH': ['%(app_label)s.change_%(model_name)s'], @@ -239,8 +239,16 @@ class DjangoModelPermissions(BasePermission): queryset = self._queryset(view) perms = self.get_required_permissions(request.method, queryset.model) + change_perm = self.get_required_permissions('PUT', queryset.model) - return request.user.has_perms(perms) + user = request.user + if request.method == 'GET': + if user.has_perms(perms) or user.has_perms(change_perm): + return True + else: + return False + + return user.has_perms(perms) class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions): diff --git a/tests/test_permissions.py b/tests/test_permissions.py index aefff981e..428480dc7 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -80,7 +80,8 @@ class ModelPermissionsIntegrationTests(TestCase): user.user_permissions.set([ Permission.objects.get(codename='add_basicmodel'), Permission.objects.get(codename='change_basicmodel'), - Permission.objects.get(codename='delete_basicmodel') + Permission.objects.get(codename='delete_basicmodel'), + Permission.objects.get(codename='view_basicmodel') ]) user = User.objects.create_user('updateonly', 'updateonly@example.com', 'password') @@ -139,6 +140,15 @@ class ModelPermissionsIntegrationTests(TestCase): response = get_queryset_list_view(request, pk=1) self.assertEqual(response.status_code, status.HTTP_201_CREATED) + def test_has_get_permissions(self): + request = factory.get('/', HTTP_AUTHORIZATION=self.permitted_credentials) + response = root_view(request) + self.assertEqual(response.status_code, status.HTTP_200_OK) + + request = factory.get('/1', HTTP_AUTHORIZATION=self.updateonly_credentials) + response = root_view(request, pk=1) + self.assertEqual(response.status_code, status.HTTP_200_OK) + def test_has_put_permissions(self): request = factory.put('/1', {'text': 'foobar'}, format='json', HTTP_AUTHORIZATION=self.permitted_credentials) @@ -156,6 +166,15 @@ class ModelPermissionsIntegrationTests(TestCase): response = root_view(request, pk=1) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + def test_does_not_have_get_permissions(self): + request = factory.get('/', HTTP_AUTHORIZATION=self.disallowed_credentials) + response = root_view(request) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + + request = factory.get('/1', HTTP_AUTHORIZATION=self.disallowed_credentials) + response = root_view(request, pk=1) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + def test_does_not_have_put_permissions(self): request = factory.put('/1', {'text': 'foobar'}, format='json', HTTP_AUTHORIZATION=self.disallowed_credentials)