Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit4f10c4e

Browse files
authored
Revert "Fix Respectcan_read_model permission in DjangoModelPermissions (#8…" (#9332)
This reverts commit0618fa8.
1 parenta4d5807 commit4f10c4e

File tree

3 files changed

+5
-30
lines changed

3 files changed

+5
-30
lines changed

‎docs/api-guide/permissions.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -173,12 +173,11 @@ This permission is suitable if you want to your API to allow read permissions to
173173

174174
This permission class ties into Django's standard`django.contrib.auth`[model permissions][contribauth]. This permission must only be applied to views that have a`.queryset` property or`get_queryset()` method. Authorization will only be granted if the user*is authenticated* and has the*relevant model permissions* assigned. The appropriate model is determined by checking`get_queryset().model` or`queryset.model`.
175175

176-
*`GET` requests require the user to have the`view` or`change` permission on the model
177176
*`POST` requests require the user to have the`add` permission on the model.
178177
*`PUT` and`PATCH` requests require the user to have the`change` permission on the model.
179178
*`DELETE` requests require the user to have the`delete` permission on the model.
180179

181-
The defaultbehaviour can also be overridden to support custom model permissions.
180+
The defaultbehavior can also be overridden to support custom model permissions. For example, you might want to include a`view` model permission for`GET` requests.
182181

183182
To use custom model permissions, override`DjangoModelPermissions` and set the`.perms_map` property. Refer to the source code for details.
184183

‎rest_framework/permissions.py

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -186,9 +186,9 @@ class DjangoModelPermissions(BasePermission):
186186
# Override this if you need to also provide 'view' permissions,
187187
# or if you want to provide custom permission codes.
188188
perms_map= {
189-
'GET': ['%(app_label)s.view_%(model_name)s'],
189+
'GET': [],
190190
'OPTIONS': [],
191-
'HEAD': ['%(app_label)s.view_%(model_name)s'],
191+
'HEAD': [],
192192
'POST': ['%(app_label)s.add_%(model_name)s'],
193193
'PUT': ['%(app_label)s.change_%(model_name)s'],
194194
'PATCH': ['%(app_label)s.change_%(model_name)s'],
@@ -239,13 +239,8 @@ def has_permission(self, request, view):
239239

240240
queryset=self._queryset(view)
241241
perms=self.get_required_permissions(request.method,queryset.model)
242-
change_perm=self.get_required_permissions('PUT',queryset.model)
243-
244-
user=request.user
245-
ifrequest.method=='GET':
246-
returnuser.has_perms(perms)oruser.has_perms(change_perm)
247242

248-
returnuser.has_perms(perms)
243+
returnrequest.user.has_perms(perms)
249244

250245

251246
classDjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):

‎tests/test_permissions.py

Lines changed: 1 addition & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -80,8 +80,7 @@ def setUp(self):
8080
user.user_permissions.set([
8181
Permission.objects.get(codename='add_basicmodel'),
8282
Permission.objects.get(codename='change_basicmodel'),
83-
Permission.objects.get(codename='delete_basicmodel'),
84-
Permission.objects.get(codename='view_basicmodel')
83+
Permission.objects.get(codename='delete_basicmodel')
8584
])
8685

8786
user=User.objects.create_user('updateonly','updateonly@example.com','password')
@@ -140,15 +139,6 @@ def test_get_queryset_has_create_permissions(self):
140139
response=get_queryset_list_view(request,pk=1)
141140
self.assertEqual(response.status_code,status.HTTP_201_CREATED)
142141

143-
deftest_has_get_permissions(self):
144-
request=factory.get('/',HTTP_AUTHORIZATION=self.permitted_credentials)
145-
response=root_view(request)
146-
self.assertEqual(response.status_code,status.HTTP_200_OK)
147-
148-
request=factory.get('/1',HTTP_AUTHORIZATION=self.updateonly_credentials)
149-
response=root_view(request,pk=1)
150-
self.assertEqual(response.status_code,status.HTTP_200_OK)
151-
152142
deftest_has_put_permissions(self):
153143
request=factory.put('/1', {'text':'foobar'},format='json',
154144
HTTP_AUTHORIZATION=self.permitted_credentials)
@@ -166,15 +156,6 @@ def test_does_not_have_create_permissions(self):
166156
response=root_view(request,pk=1)
167157
self.assertEqual(response.status_code,status.HTTP_403_FORBIDDEN)
168158

169-
deftest_does_not_have_get_permissions(self):
170-
request=factory.get('/',HTTP_AUTHORIZATION=self.disallowed_credentials)
171-
response=root_view(request)
172-
self.assertEqual(response.status_code,status.HTTP_403_FORBIDDEN)
173-
174-
request=factory.get('/1',HTTP_AUTHORIZATION=self.disallowed_credentials)
175-
response=root_view(request,pk=1)
176-
self.assertEqual(response.status_code,status.HTTP_403_FORBIDDEN)
177-
178159
deftest_does_not_have_put_permissions(self):
179160
request=factory.put('/1', {'text':'foobar'},format='json',
180161
HTTP_AUTHORIZATION=self.disallowed_credentials)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp