`IsAuthenticatedOrReadOnly` authorizes users that are not
authenticated for read-only access to resources.
Therefore, they are unauthenticated users, not unauthorized users.
Apart from a few exceptions, django-rest-framework uses the American
English spelling "authorization"/"authorized".
$ git grep -oi authorised | wc -l
2
$ git grep -oi authorized | wc -l
30
Replace the few occurences of the British English spelling with the
American English one.
I found it unclear how the model was determined for `DjangoModelPermissions`. The docs say you need a `queryset` or `get_queryset`, but not that the value returned from those is what determines the model that is used.
I might just be misunderstanding something (always a strong possibility!), but it seems to me that the table on the Permissions page is slightly inaccurate.
For `permission_classes`, wouldn't it have global-level permissions for list actions (rather than no permission control, as is currently listed)?
* Document the limitation that object level permissions do not apply to object creation. See for example #6409.
* Add overview of three different ways to restrict access
* Add drf-psq to third party packages
* Add drf-psq to permissions.md
this package is an extension that gives support for having action-based **permission_classes**, **serializer_class**, and **queryset** dependent on permission-based rules.
Co-authored-by: Salar Nasiri <salarnasiri@users.noreply.github.com>
* permissions: Allow permissions to be composed
Implement a system to compose permissions with and / or.
This is performed by returning an `OperationHolder` instance that keeps the
permission classes and type of composition (and / or).
When called it will return a AND/OR instance that will then delegate the
permission check to the operands.
* permissions: Add documentation about composed permissions
* Fix documentation typo in permissions
* Remove trailing whitespace from lines
* Remove trailing nad leading whitespace from files
Allows for cleaner diffs in future changes. For editors that
automatically clean up whitespace on save, will avoid unrelated line
changes in diffs.
* Update get_object() example in permissions.md
I'm a bit confused about the example that's provided in the 'Object level permissions' section. Other examples (e.g. Tutorial 3 - Class Based Views) provided a pk to get_object(). It doesn't seem like this example has any way of identifying a specific object.
Just in case I'm correct, I've prepared this pull request. But if I'm wrong, would it be possible for you to explain the example I modified?
Many Thanks...
* Adjust patch
