Commit Graph

50 Commits

Author SHA1 Message Date
Ghosts6
f6ed811e97 Fix formatting and resolve pre-commit errors 2024-10-19 20:10:57 +01:00
Ghosts6
f471f5871f Add custom validators, permission classes, and PermissionTestModel for testing permissions 2024-10-19 19:41:07 +01:00
Ivan Studinsky
1e9b5c15ec
Provide tests for hashing of OperandHolder (#9437) 2024-06-15 14:00:28 +06:00
Tom Christie
4f10c4e43e
Revert "Fix Respect can_read_model permission in DjangoModelPermissions (#8…" (#9332)
This reverts commit 0618fa88e1.
2024-03-21 22:45:12 +00:00
Manish Kumar Shah
0618fa88e1
Fix Respect can_read_model permission in DjangoModelPermissions (#8009)
* Fix Respect `can_read_model` permission in DjangoModelPermissions

FIXES: #6324

* Updated documentation and simplified code
2023-01-13 14:52:54 +06:00
Denny Biasiolli
c0d95cb967
Fix #8771 - Checking for authentication even if _ignore_model_permissions = True (#8772) 2022-11-22 20:21:16 +06:00
David Smith
4aea8dd65a
Change semantic of OR of two permission classes (#7522)
* Change semantic of OR of two permission classes

The original semantic of OR is defined as: the request pass either of the two has_permission() check, and pass either of the two has_object_permission() check, which could lead to situations that a request passes has_permission() but fails on has_object_permission() of Permission Class A, fails has_permission() but passes has_object_permission() of Permission Class B, passes the OR permission check. This should not be the desired permission check semantic in applications, because such a request should fail on either Permission Class (on Django object permission) alone, but passes the OR or the two.

My code fix this by changing the semantic so that the request has to pass either class's has_permission() and has_object_permission() to get the Django object permission of the OR check.

* Update rest_framework/permissions.py

* Update setup.cfg

Co-authored-by: Mark Yu <markyu98@outlook.com>
Co-authored-by: Tom Christie <tom@tomchristie.com>
2022-09-21 12:19:33 +01:00
David Smith
9990b59281
Dropped test compatibility shims for Django <2.2. (#7523) 2020-09-07 20:00:17 +02:00
Jair Henrique
65add6679d
Remove unnecessary test skips (#7336) 2020-05-14 14:49:04 +01:00
Mathieu Pillard
d7777ea10f
Pass custom code to PermissionDenied if permission class had one set (#7306) 2020-05-01 10:22:36 +01:00
Ryan P Kilby
a8c86be660
Update linter requirements (#7010) 2019-10-22 11:18:51 -07:00
Ryan P Kilby
db37512a6e
Remove 3.10 deprecations (#6687)
* Remove DjangoObjectPermissionsFilter
* Remove detail_route/list_route
* Bump deprecation warning versions
2019-05-21 10:36:55 -07:00
Carlton Gibson
0407a0df8a
Dropped Python 2 compatibility. (#6615)
Thanks to Jon Dufresne (@jdufresne) for review.

Co-authored-by: Asif Saif Uddin <auvipy@gmail.com>
Co-authored-by: Rizwan Mansuri <Rizwan@webbyfox.com>
2019-04-30 17:53:44 +02:00
Carlton Gibson
94593b3a50
Introduce RemovedInDRF…Warning classes to simplify deprecations. (#6480)
Closes #6290.
2019-03-03 09:20:45 +01:00
Adrien Brunet
2daf6f1341 Add negation ~ operator to permissions composition (#6361) 2019-02-25 15:33:40 +01:00
Frédéric Massart
94fbfcb6fd Added lazy evaluation to composed permissions. (#6463)
Refs #6402.
2019-02-25 13:47:02 +01:00
Xavier Ordoquy
74574217a4 Fix composable permissions
In some cases we end with an operation between two `OperandHolder`.
This didn't work as it didn't knew how to deal with | or &
This fixes by adding those operations.
2018-11-27 15:29:44 +01:00
Mark Davidoff
1f13b6f6b2 use actual user instead of fake user in permission composition test 2018-10-29 10:45:40 -07:00
Mark Davidoff
fc08e0189f
update tests to reflect that django now returns a callable for is_authenticated 2018-10-29 08:26:20 -07:00
Xavier Ordoquy
b41a6cfa38 permissions: Allow permissions to be composed (#5753)
* permissions: Allow permissions to be composed

Implement a system to compose permissions with and / or.
This is performed by returning an `OperationHolder` instance that keeps the
permission classes and type of composition (and / or).
When called it will return a AND/OR instance that will then delegate the
permission check to the operands.

* permissions: Add documentation about composed permissions

* Fix documentation typo in permissions
2018-10-03 15:36:24 +01:00
Ryan P Kilby
66183389f6 Deprecate DjangoObjectPermissionsFilter (#6075) 2018-10-02 16:34:25 +02:00
Ryan P Kilby
9b8af04e7f Move guardian imports out of compat (#6054) 2018-07-06 11:32:02 +02:00
Ryan P Kilby
c5ab65923f
tests/test_permissions.py: do not add view perm for dj21 (#6055) 2018-06-23 07:31:06 -04:00
Jon Dufresne
ffe3dbb1b1 Perfer iter(dict) over iter(dict.keys()) (#5736)
Calling dict.keys() is unnecessary. The two are functionally equivalent
on modern Pythons.

Inspired by Lennart Regebro's talk "Prehistoric Patterns in Python" from
PyCon 2017.

https://www.youtube.com/watch?v=V5-JH23Vk0I
2018-01-08 09:49:46 +00:00
Ryan P Kilby
8d7ce3726d Compat cleanup (#5581)
* Reenable flake8 on compat, cleanup style/imports

* Cleanup compat urls imports

* Refactor compat url pattern/resolver imports

* Add comment re dropping pytz compat

... when dropping Django 1.10

* Strip whitespace

Grrr. GitHub web editor 😡
2017-11-10 09:41:03 +01:00
Carlton Gibson
c674687782 Remove Django 1.8 & 1.9 compatibility code (#5481)
* Identify code that needs to be pulled out of/removed from compat.py

* Extract modern code from get_names_and_managers in compat.py and remove compat code

* Extract modern code from is_authenticated() in compat.py and remove.

* Extract modern code from is_anonymous() in compat.py and remove

* Extract modern code from get_related_model() from compat.py and remove

* Extract modern code from value_from_object() in compat.py and remove

* Update postgres compat

JSONField now always available.

* Remove DecimalValidator compat

* Remove get_remote_field compat

* Remove template_render compat

Plus isort.

* Remove set_many compat

* Remove include compat
2017-10-05 20:41:38 +02:00
Ryan P Kilby
23b2d8099b Unify QS handling for model/object permissions 2017-09-01 13:56:39 -04:00
Ryan P Kilby
2ea368e80f Add failing test for #5367 2017-08-30 16:53:08 -04:00
Ryan P Kilby
79c1f2154a Fix authorization few perms tests 2017-08-30 16:52:38 -04:00
Bekhzod Tillakhanov
84e22cc2f3 Scheme fix when unauth and Flask8 lint fix 2017-05-30 00:15:07 +05:00
tdruez
d616c1591f Added a test to cover the DjangoModelPermissions #4927 issue
`DjangoObjectPermissions` and `DjangoModelPermissions` are now properly cover for the `METHOD_NOT_ALLOWED` issue
2017-03-01 09:50:21 +01:00
tdruez
c30ccac38e Added a failing test for #4927 2017-02-27 20:39:47 +01:00
Tom Christie
0dec36eb41 Version 3.5 (#4525)
* Start test case

* Added 'requests' test client

* Address typos

* Graceful fallback if requests is not installed.

* Add cookie support

* Tests for auth and CSRF

* Py3 compat

* py3 compat

* py3 compat

* Add get_requests_client

* Added SchemaGenerator.should_include_link

* add settings for html cutoff on related fields

* Router doesn't work if prefix is blank, though project urls.py handles prefix

* Fix Django 1.10 to-many deprecation

* Add django.core.urlresolvers compatibility

* Update django-filter & django-guardian

* Check for empty router prefix; adjust URL accordingly

It's easiest to fix this issue after we have made the regex.  To try
to fix it before would require doing something different for List vs
Detail, which means we'd have to know which type of url we're
constructing before acting accordingly.

* Fix misc django deprecations

* Use TOC extension instead of header

* Fix deprecations for py3k

* Add py3k compatibility to is_simple_callable

* Add is_simple_callable tests

* Drop python 3.2 support (EOL, Dropped by Django)

* schema_renderers= should *set* the renderers, not append to them.

* API client (#4424)

* Fix release notes

* Add note about 'User account is disabled.' vs 'Unable to log in'

* Clean up schema generation (#4527)

* Handle multiple methods on custom action (#4529)

* RequestsClient, CoreAPIClient

* exclude_from_schema

* Added 'get_schema_view()' shortcut

* Added schema descriptions

* Better descriptions for schemas

* Add type annotation to schema generation

* Coerce schema 'pk' in path to actual field name

* Deprecations move into assertion errors

* Use get_schema_view in tests

* Updte CoreJSON media type

* Handle schema structure correctly when path prefixs exist. Closes #4401

* Add PendingDeprecation to Router schema generation.

* Added SCHEMA_COERCE_PATH_PK and SCHEMA_COERCE_METHOD_NAMES

* Renamed and documented 'get_schema_fields' interface.
2016-10-10 13:03:46 +01:00
Tom Christie
9c996d7d2a Clean up existing deprecation warnings. (#4166)
* Add Meta.fields = '__all__' to serializer classes where required.
* Add explicit on_delete=models.CASCADE to ForeignKey fields.
* Use '.remote_field' and '.model' in preference to '.rel' and '.to' when inspecting model fields.
* Use new value_from_object in preference to internal _get_val_from_obj
2016-06-02 14:39:10 +01:00
Carlton Gibson
0b34408172 Remove unittest.skipUnless 2015-09-22 16:24:22 +02:00
Carlton Gibson
25de8c960f Remove Django 1.5 get_model_name fallback 2015-09-21 20:10:31 +02:00
Tom Christie
48540f180a unittest compat fallback 2015-08-27 17:11:53 +01:00
José Padilla
7351a3f6ca Sort imports with isort 2015-06-25 16:55:51 -04:00
Tom Christie
8329411cc3 Merge pull request #2539 from donewell/permission-detail
add message to custom permission
2015-06-24 11:32:02 +01:00
Nicolas Delaby
031ac2a292 Allow DjangoObjectPermissions to use views that define get_queryset 2015-05-13 14:26:44 +02:00
Nicolas Delaby
6f66798ad3 Prevent empty querysets to raises AssertionError. 2015-04-22 11:13:09 +02:00
Nicolas Delaby
c2e536bfda Tell DjangoModelPermissions to rely on get_queryset first. 2015-04-22 10:18:30 +02:00
donewell
3d25dadbf3 change custom message for clarity 2015-02-11 11:20:03 +00:00
donewell
9ea615af14 add message to custom permission
change detail to message and update text
2015-02-10 20:11:53 +00:00
Tom Christie
9e75c4d8ea Reinstate OPTIONS tests 2014-11-13 16:24:03 +00:00
Tom Christie
21980b800d More test sorting 2014-09-08 14:24:05 +01:00
Tom Christie
f2852811f9 Getting tests passing 2014-09-02 17:41:23 +01:00
Tom Christie
b3253b4283 Remove .model usage in tests.
Remove the shortcut `.model` view attribute usage from test cases.
2014-08-29 12:35:53 +01:00
Tom Christie
bf09c32de8 Code linting and added runtests.py 2014-08-19 13:28:07 +01:00
Andreas Pelme
971578ca34 Support for running the test suite with py.test
* Get rid of runtests.py
 * Moved test code  from rest_framework/tests and rest_framework/runtests to tests
 * Invoke py.test from setup.py
 * Invoke py.test from Travis
 * Invoke py.test from tox
 * Changed setUpClass to be just plain setUp in test_permissions.py
 * Updated contribution guideline to show how to invoke py.test
2014-03-02 12:40:30 +01:00