fixes bug in APIView with object level permissions

2025-08-04 20:40:14 +03:00 · 2016-07-25 03:32:04 -07:00 · 2016-07-25 03:32:04 -07:00 · ed6a14058a
commit ed6a14058a
parent 0f61c9ec29
2 changed files with 9 additions and 1 deletions
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@ -151,6 +151,9 @@ class DjangoObjectPermissions(DjangoModelPermissions):
    This permission can only be applied against view classes that
    provide a `.queryset` attribute.
    """
    requires_object_permission = True
    perms_map = {
        'GET': [],
        'OPTIONS': [],
--- a/rest_framework/views.py
+++ b/rest_framework/views.py
@ -7,6 +7,7 @@ from django.core.exceptions import PermissionDenied
 from django.db import models
 from django.http import Http404
 from django.http.response import HttpResponseBase
 from django.shortcuts import get_object_or_404 as _get_object_or_404
 from django.utils import six
 from django.utils.encoding import smart_text
 from django.utils.translation import ugettext_lazy as _
@ -382,6 +383,10 @@ class APIView(View):
        # Ensure that the incoming request is permitted
        self.perform_authentication(request)
        if getattr(self, 'requires_object_permission', None) and 'pk' in kwargs:
            obj = _get_object_or_404(self.get_queryset(), pk=kwargs['pk'])
            self.check_object_permissions(request, obj)
        else:
            self.check_permissions(request)
        self.check_throttles(request)