From 69688289ce22c874a430910a0b85c0d5a68d1f3c Mon Sep 17 00:00:00 2001 From: Aarni Koskela Date: Tue, 24 Nov 2015 14:44:00 +0200 Subject: [PATCH] Ensure `Django{Model,Object}Permissions` don't hide exceptions. Quietly catching `AttributeError` and `TypeError` when calling `get_queryset()` is rather insidious, as those exceptions get caught no matter where they might happen in the call stack. --- rest_framework/permissions.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py index 292952cfab..4d5832a7a4 100644 --- a/rest_framework/permissions.py +++ b/rest_framework/permissions.py @@ -112,15 +112,15 @@ def has_permission(self, request, view): if getattr(view, '_ignore_model_permissions', False): return True - try: + if hasattr(view, 'get_queryset'): queryset = view.get_queryset() - except AttributeError: + else: queryset = getattr(view, 'queryset', None) assert queryset is not None, ( 'Cannot apply DjangoModelPermissions on a view that ' - 'does not have `.queryset` property or overrides the ' - '`.get_queryset()` method.') + 'does not set `.queryset` or have a `.get_queryset()` method.' + ) perms = self.get_required_permissions(request.method, queryset.model) @@ -169,15 +169,15 @@ def get_required_object_permissions(self, method, model_cls): return [perm % kwargs for perm in self.perms_map[method]] def has_object_permission(self, request, view, obj): - try: + if hasattr(view, 'get_queryset'): queryset = view.get_queryset() - except AttributeError: + else: queryset = getattr(view, 'queryset', None) assert queryset is not None, ( 'Cannot apply DjangoObjectPermissions on a view that ' - 'does not have `.queryset` property or overrides the ' - '`.get_queryset()` method.') + 'does not set `.queryset` or have a `.get_queryset()` method.' + ) model_cls = queryset.model user = request.user