-
-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DjangoModelPermissions shows API root for unauthenticated users #8425
Comments
I agree, I had the same problem. I solved this by changing the order of checking for def has_permission(self, request, view):
if not request.user or (
not request.user.is_authenticated and self.authenticated_users_only):
return False
# Workaround to ensure DjangoModelPermissions are not applied
# to the root view when using DefaultRouter.
if getattr(view, '_ignore_model_permissions', False):
return True I think this is the correct order because Can anyone argue why it should not be in this order? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
does this fix the issue? |
Yes! :-) This issue can be closed as fixed! |
For others stumbling upon this ticket, this fix only solves the root view being visible to unauthenticated users. An that endpoints a user has no permissions to is still be visible to all authenticated users. |
That's what this ticket is about :)
Do you mean that the root view shows endpoints that the authenticated user even though the user has no permission to "use" them? If that is something you are looking for I suggest to open a new issue for this. |
I noticed that when using
permissions.IsAuthenticated
, theAPIRootView
returns a403
. However, when usingDjangoModelPermissions
this is not the case. It does show the root with all available endpoints.DjangoModelPermissions.has_permission(...)
does have a check to ensure the user is authenticated in the code (introduced in #5376) but it happens after the special case handling is done forAPIRootView
(introduced in #2905).django-rest-framework/rest_framework/permissions.py
Lines 219 to 227 in 7e4e6d2
The authentication check should come first followed by the special case for
APIRootView
to be consistent with other permission classes.I would be happy to provide a PR to address this.
The text was updated successfully, but these errors were encountered: