Skip to content

Commit 0618fa8

Browse files
ManishShah120ManishShah120
authored
Fix Respect can_read_model permission in DjangoModelPermissions (#8009)
* Fix Respect `can_read_model` permission in DjangoModelPermissions FIXES: #6324 * Updated documentation and simplified code
1 parent 2d19f23 commit 0618fa8

File tree

3 files changed

+30
-5
lines changed

3 files changed

+30
-5
lines changed

docs/api-guide/permissions.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -173,11 +173,12 @@ This permission is suitable if you want to your API to allow read permissions to
173173

174174
This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. This permission must only be applied to views that have a `.queryset` property or `get_queryset()` method. Authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned. The appropriate model is determined by checking `get_queryset().model` or `queryset.model`.
175175

176+
* `GET` requests require the user to have the `view` or `change` permission on the model
176177
* `POST` requests require the user to have the `add` permission on the model.
177178
* `PUT` and `PATCH` requests require the user to have the `change` permission on the model.
178179
* `DELETE` requests require the user to have the `delete` permission on the model.
179180

180-
The default behavior can also be overridden to support custom model permissions. For example, you might want to include a `view` model permission for `GET` requests.
181+
The default behaviour can also be overridden to support custom model permissions.
181182

182183
To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details.
183184

rest_framework/permissions.py

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -186,9 +186,9 @@ class DjangoModelPermissions(BasePermission):
186186
# Override this if you need to also provide 'view' permissions,
187187
# or if you want to provide custom permission codes.
188188
perms_map = {
189-
'GET': [],
189+
'GET': ['%(app_label)s.view_%(model_name)s'],
190190
'OPTIONS': [],
191-
'HEAD': [],
191+
'HEAD': ['%(app_label)s.view_%(model_name)s'],
192192
'POST': ['%(app_label)s.add_%(model_name)s'],
193193
'PUT': ['%(app_label)s.change_%(model_name)s'],
194194
'PATCH': ['%(app_label)s.change_%(model_name)s'],
@@ -239,8 +239,13 @@ def has_permission(self, request, view):
239239

240240
queryset = self._queryset(view)
241241
perms = self.get_required_permissions(request.method, queryset.model)
242+
change_perm = self.get_required_permissions('PUT', queryset.model)
243+
244+
user = request.user
245+
if request.method == 'GET':
246+
return user.has_perms(perms) or user.has_perms(change_perm)
242247

243-
return request.user.has_perms(perms)
248+
return user.has_perms(perms)
244249

245250

246251
class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):

tests/test_permissions.py

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,8 @@ def setUp(self):
8080
user.user_permissions.set([
8181
Permission.objects.get(codename='add_basicmodel'),
8282
Permission.objects.get(codename='change_basicmodel'),
83-
Permission.objects.get(codename='delete_basicmodel')
83+
Permission.objects.get(codename='delete_basicmodel'),
84+
Permission.objects.get(codename='view_basicmodel')
8485
])
8586

8687
user = User.objects.create_user('updateonly', 'updateonly@example.com', 'password')
@@ -139,6 +140,15 @@ def test_get_queryset_has_create_permissions(self):
139140
response = get_queryset_list_view(request, pk=1)
140141
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
141142

143+
def test_has_get_permissions(self):
144+
request = factory.get('/', HTTP_AUTHORIZATION=self.permitted_credentials)
145+
response = root_view(request)
146+
self.assertEqual(response.status_code, status.HTTP_200_OK)
147+
148+
request = factory.get('/1', HTTP_AUTHORIZATION=self.updateonly_credentials)
149+
response = root_view(request, pk=1)
150+
self.assertEqual(response.status_code, status.HTTP_200_OK)
151+
142152
def test_has_put_permissions(self):
143153
request = factory.put('/1', {'text': 'foobar'}, format='json',
144154
HTTP_AUTHORIZATION=self.permitted_credentials)
@@ -156,6 +166,15 @@ def test_does_not_have_create_permissions(self):
156166
response = root_view(request, pk=1)
157167
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
158168

169+
def test_does_not_have_get_permissions(self):
170+
request = factory.get('/', HTTP_AUTHORIZATION=self.disallowed_credentials)
171+
response = root_view(request)
172+
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
173+
174+
request = factory.get('/1', HTTP_AUTHORIZATION=self.disallowed_credentials)
175+
response = root_view(request, pk=1)
176+
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
177+
159178
def test_does_not_have_put_permissions(self):
160179
request = factory.put('/1', {'text': 'foobar'}, format='json',
161180
HTTP_AUTHORIZATION=self.disallowed_credentials)

0 commit comments

Comments
 (0)