Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit78e4ea0

Browse files
johnrazlovelydinosaur
authored andcommitted
No auth view failing permission should raise 403
A view with no `authentication_classes` set and that fails apermission check should raise a 403 with the message from thefailing permission.
1 parent6a29196 commit78e4ea0

File tree

2 files changed

+26
-1
lines changed

2 files changed

+26
-1
lines changed

‎rest_framework/views.py‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ def permission_denied(self, request, message=None):
162162
"""
163163
If request is not permitted, determine what kind of exception to raise.
164164
"""
165-
ifnotrequest.successful_authenticator:
165+
ifrequest.authenticatorsandnotrequest.successful_authenticator:
166166
raiseexceptions.NotAuthenticated()
167167
raiseexceptions.PermissionDenied(detail=message)
168168

‎tests/test_authentication.py‎

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -321,3 +321,28 @@ def test_failing_auth_accessed_in_renderer(self):
321321
response=self.view(request)
322322
content=response.render().content
323323
self.assertEqual(content,b'not authenticated')
324+
325+
326+
classNoAuthenticationClassesTests(TestCase):
327+
deftest_permission_message_with_no_authentication_classes(self):
328+
"""
329+
An unauthenticated request made against a view that containes no
330+
`authentication_classes` but do contain `permissions_classes` the error
331+
code returned should be 403 with the exception's message.
332+
"""
333+
334+
classDummyPermission(permissions.BasePermission):
335+
message='Dummy permission message'
336+
337+
defhas_permission(self,request,view):
338+
returnFalse
339+
340+
request=factory.get('/')
341+
view=MockView.as_view(
342+
authentication_classes=(),
343+
permission_classes=(DummyPermission,),
344+
)
345+
response=view(request)
346+
self.assertEqual(response.status_code,
347+
status.HTTP_403_FORBIDDEN)
348+
self.assertEqual(response.data, {'detail':'Dummy permission message'})

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp