encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-01-24 00:04:16 +03:00
Code Issues Packages Projects Releases Wiki Activity
4aea8dd65a
django-rest-framework/rest_framework
History
David Smith 4aea8dd65a
Change semantic of OR of two permission classes (#7522) 
* Change semantic of OR of two permission classes

The original semantic of OR is defined as: the request pass either of the two has_permission() check, and pass either of the two has_object_permission() check, which could lead to situations that a request passes has_permission() but fails on has_object_permission() of Permission Class A, fails has_permission() but passes has_object_permission() of Permission Class B, passes the OR permission check. This should not be the desired permission check semantic in applications, because such a request should fail on either Permission Class (on Django object permission) alone, but passes the OR or the two.

My code fix this by changing the semantic so that the request has to pass either class's has_permission() and has_object_permission() to get the Django object permission of the OR check.

* Update rest_framework/permissions.py

* Update setup.cfg

Co-authored-by: Mark Yu <markyu98@outlook.com>
Co-authored-by: Tom Christie <tom@tomchristie.com>
2022-09-21 12:19:33 +01:00
..
authtoken Don't hit db to access user_id in TokenProxy (#7852) 2021-03-19 11:46:09 +00:00
locale Translations updated from transifex and compiled 2020-10-13 22:05:24 +02:00
management Add file option to generateschema (#7130) 2020-02-12 20:35:54 +01:00
schemas Prevent head method mapping to coerce action name (#7729) 2022-08-12 12:00:55 +01:00
static/rest_framework Upgraded Bootstrap to 3.4.1 and added CSS source maps (#8591) 2022-08-10 11:53:21 +01:00
templates/rest_framework Revert "made Browsable API base template cachable: omit CSRF token when unnecessary (#7717)" (#7847) 2021-03-17 13:24:55 +00:00
templatetags Made relative URLs clickable as well. (#8464) 2022-06-08 15:03:00 +01:00
utils Replaced parse_header with parse_header_parameters. (#8556) 2022-07-14 14:20:36 +02:00
__init__.py Version 3.13.1 2021-12-15 15:18:24 +00:00
apps.py Make DEFAULT_PAGINATION_CLASS None by default. (#5170) 2017-09-25 15:36:30 +02:00
authentication.py #7157: Fix RemoteUserAuthentication calling django authenticate with request argument (#7158) 2021-09-03 14:37:03 +01:00
checks.py Fix punctuation in system check (#7281) 2020-04-20 16:40:05 -07:00
compat.py Replaced parse_header with parse_header_parameters. (#8556) 2022-07-14 14:20:36 +02:00
decorators.py if else optimization (#8340) 2022-01-27 15:02:20 +00:00
documentation.py Updated url()'s with path() and re_path() (#7492) 2020-08-25 13:50:02 +02:00
exceptions.py Refactor short names in exceptions (#8585) 2022-08-01 16:28:05 +01:00
fields.py Stop calling set_context, planned for 3.13 drop (#8589) 2022-08-08 11:18:49 +01:00
filters.py Ordering filter bug with model property serializer field (#7609) 2021-03-16 12:53:39 +00:00
generics.py Allow context to be provided to get_serializer (#7298) 2020-04-29 11:19:44 +01:00
metadata.py replace force_text with force_str 2019-08-07 21:05:24 +02:00
mixins.py Dropped Python 2 compatibility. (#6615) 2019-04-30 17:53:44 +02:00
negotiation.py Replaced parse_header with parse_header_parameters. (#8556) 2022-07-14 14:20:36 +02:00
pagination.py Fix CursorPagination parameter schema type (#7708) 2021-12-13 14:03:09 +00:00
parsers.py Replaced parse_header with parse_header_parameters. (#8556) 2022-07-14 14:20:36 +02:00
permissions.py Change semantic of OR of two permission classes (#7522) 2022-09-21 12:19:33 +01:00
relations.py Handle unset fields with 'many=True' (#7574) 2022-06-08 14:46:19 +01:00
renderers.py Replaced parse_header with parse_header_parameters. (#8556) 2022-07-14 14:20:36 +02:00
request.py Replaced parse_header with parse_header_parameters. (#8556) 2022-07-14 14:20:36 +02:00
response.py Remove unnecessary bytes() calls (#6626) 2019-05-30 15:05:27 -07:00
reverse.py Dropped Python 2 compatibility. (#6615) 2019-04-30 17:53:44 +02:00
routers.py Linting fixes (#7874) 2021-03-26 12:27:10 +00:00
serializers.py Enforce is_valid(raise_exception=False) as a keyword-only argument. (#7952) 2022-08-10 14:00:30 +01:00
settings.py Add note that APISettings is an internal class (#7144) 2020-01-15 10:52:29 +00:00
status.py Added http 102, 103, 421, and 425 status codes (#8350) 2022-02-03 11:57:47 +00:00
test.py Make APIClient.force_authenticate() work with user=None (#8212) 2022-09-15 09:35:48 +01:00
throttling.py Fix error in throttling when request.user is None (#8370) 2022-06-24 13:02:11 +01:00
urlpatterns.py Updated url()'s with path() and re_path() (#7492) 2020-08-25 13:50:02 +02:00
urls.py Replace all url() calls with path() or re_path() (#7512) 2020-09-08 15:32:27 +01:00
validators.py Make CharField prohibit surrogate characters (#7026) (#7067) 2020-01-06 14:12:21 +00:00
versioning.py Replace all url() calls with path() or re_path() (#7512) 2020-09-08 15:32:27 +01:00
views.py support multi db atomic_requests (#7739) 2021-03-03 11:15:39 +00:00
viewsets.py Fixes that namespaced views now also appear in the extra actions (#8598) 2022-08-31 11:17:19 +01:00