-
-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Respect can_read_model
permission in DjangoModelPermissions
#8009
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -186,9 +186,9 @@ class DjangoModelPermissions(BasePermission): | |
# Override this if you need to also provide 'view' permissions, | ||
# or if you want to provide custom permission codes. | ||
perms_map = { | ||
'GET': [], | ||
'GET': ['%(app_label)s.view_%(model_name)s'], | ||
'OPTIONS': [], | ||
'HEAD': [], | ||
'HEAD': ['%(app_label)s.view_%(model_name)s'], | ||
'POST': ['%(app_label)s.add_%(model_name)s'], | ||
'PUT': ['%(app_label)s.change_%(model_name)s'], | ||
'PATCH': ['%(app_label)s.change_%(model_name)s'], | ||
|
@@ -239,8 +239,13 @@ def has_permission(self, request, view): | |
|
||
queryset = self._queryset(view) | ||
perms = self.get_required_permissions(request.method, queryset.model) | ||
change_perm = self.get_required_permissions('PUT', queryset.model) | ||
|
||
user = request.user | ||
if request.method == 'GET': | ||
return user.has_perms(perms) or user.has_perms(change_perm) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't see the motivation for this additional set of checks against Just seems inconsistent to me. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This maintains backward compatibility Tom. If the DB was not updated to grant the users of an application view permissions, the API endpoints will not allow read operations and will break because users have no view permissions assigned, only change permissions which was how django worked before, we can't be sure all databases have been updated to use view permissions properly. If we only check view permissions, that's how we would introduce a backward incompatible change. |
||
|
||
return request.user.has_perms(perms) | ||
return user.has_perms(perms) | ||
|
||
|
||
class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions): | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -80,7 +80,8 @@ def setUp(self): | |
user.user_permissions.set([ | ||
Permission.objects.get(codename='add_basicmodel'), | ||
Permission.objects.get(codename='change_basicmodel'), | ||
Permission.objects.get(codename='delete_basicmodel') | ||
Permission.objects.get(codename='delete_basicmodel'), | ||
Permission.objects.get(codename='view_basicmodel') | ||
]) | ||
|
||
user = User.objects.create_user('updateonly', '[email protected]', 'password') | ||
|
@@ -139,6 +140,15 @@ def test_get_queryset_has_create_permissions(self): | |
response = get_queryset_list_view(request, pk=1) | ||
self.assertEqual(response.status_code, status.HTTP_201_CREATED) | ||
|
||
def test_has_get_permissions(self): | ||
request = factory.get('/', HTTP_AUTHORIZATION=self.permitted_credentials) | ||
response = root_view(request) | ||
self.assertEqual(response.status_code, status.HTTP_200_OK) | ||
|
||
request = factory.get('/1', HTTP_AUTHORIZATION=self.updateonly_credentials) | ||
response = root_view(request, pk=1) | ||
self.assertEqual(response.status_code, status.HTTP_200_OK) | ||
|
||
def test_has_put_permissions(self): | ||
request = factory.put('/1', {'text': 'foobar'}, format='json', | ||
HTTP_AUTHORIZATION=self.permitted_credentials) | ||
|
@@ -156,6 +166,15 @@ def test_does_not_have_create_permissions(self): | |
response = root_view(request, pk=1) | ||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) | ||
|
||
def test_does_not_have_get_permissions(self): | ||
request = factory.get('/', HTTP_AUTHORIZATION=self.disallowed_credentials) | ||
response = root_view(request) | ||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) | ||
|
||
request = factory.get('/1', HTTP_AUTHORIZATION=self.disallowed_credentials) | ||
response = root_view(request, pk=1) | ||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) | ||
|
||
def test_does_not_have_put_permissions(self): | ||
request = factory.put('/1', {'text': 'foobar'}, format='json', | ||
HTTP_AUTHORIZATION=self.disallowed_credentials) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Presumably we'd also want to make the same change on
DjangoObjectPermissions
, right?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I honestly don't know, if you say this should be done we'll look into it, but we should clear any doubt regarding https://github.com/encode/django-rest-framework/pull/8009/files/dd4de8e420f3fe6e069cfb176a3e64218a10eda0#r709556976.