Commitc0d95cb

authored

Fix#8771 - Checking for authentication even if_ignore_model_permissions = True (#8772)

1 parentb87699c commitc0d95cbCopy full SHA for c0d95cb

File tree

2 files changed

+30

-4

lines changed

rest_framework
- permissions.py
tests
- test_permissions.py

2 files changed

+30

-4

lines changed

`‎rest_framework/permissions.py‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -228,15 +228,15 @@ def _queryset(self, view):`
`228`	`228`	`returnview.queryset`
`229`	`229`
`230`	`230`	`defhas_permission(self,request,view):`
	`231`	`+ifnotrequest.useror (`
	`232`	`+notrequest.user.is_authenticatedandself.authenticated_users_only):`
	`233`	`+returnFalse`
	`234`	`+`
`231`	`235`	`# Workaround to ensure DjangoModelPermissions are not applied`
`232`	`236`	`# to the root view when using DefaultRouter.`
`233`	`237`	`ifgetattr(view,'_ignore_model_permissions',False):`
`234`	`238`	`returnTrue`
`235`	`239`
`236`		`-ifnotrequest.useror (`
`237`		`-notrequest.user.is_authenticatedandself.authenticated_users_only):`
`238`		`-returnFalse`
`239`		`-`
`240`	`240`	`queryset=self._queryset(view)`
`241`	`241`	`perms=self.get_required_permissions(request.method,queryset.model)`
`242`	`242`

`‎tests/test_permissions.py‎`

Lines changed: 26 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -55,11 +55,16 @@ class EmptyListView(generics.ListCreateAPIView):`
`55`	`55`	`permission_classes= [permissions.DjangoModelPermissions]`
`56`	`56`
`57`	`57`
	`58`	`+classIgnoredGetQuerySetListView(GetQuerySetListView):`
	`59`	`+_ignore_model_permissions=True`
	`60`	`+`
	`61`	`+`
`58`	`62`	`root_view=RootView.as_view()`
`59`	`63`	`api_root_view=DefaultRouter().get_api_root_view()`
`60`	`64`	`instance_view=InstanceView.as_view()`
`61`	`65`	`get_queryset_list_view=GetQuerySetListView.as_view()`
`62`	`66`	`empty_list_view=EmptyListView.as_view()`
	`67`	`+ignored_get_queryset_list_view=IgnoredGetQuerySetListView.as_view()`
`63`	`68`
`64`	`69`
`65`	`70`	`defbasic_auth_header(username,password):`
`@@ -107,6 +112,27 @@ def test_api_root_view_discard_default_django_model_permission(self):`
`107`	`112`	`response=api_root_view(request)`
`108`	`113`	`self.assertEqual(response.status_code,status.HTTP_200_OK)`
`109`	`114`
	`115`	`+deftest_ignore_model_permissions_with_unauthenticated_user(self):`
	`116`	`+"""`
	`117`	+ We check that the ``_ignore_model_permissions`` attribute
	`118`	`+ doesn't ignore the authentication.`
	`119`	`+ """`
	`120`	`+request=factory.get('/',format='json')`
	`121`	`+request.resolver_match=ResolverMatch('get', (), {})`
	`122`	`+response=ignored_get_queryset_list_view(request)`
	`123`	`+self.assertEqual(response.status_code,status.HTTP_401_UNAUTHORIZED)`
	`124`	`+`
	`125`	`+deftest_ignore_model_permissions_with_authenticated_user(self):`
	`126`	`+"""`
	`127`	+ We check that the ``_ignore_model_permissions`` attribute
	`128`	`+ with an authenticated user.`
	`129`	`+ """`
	`130`	`+request=factory.get('/',format='json',`
	`131`	`+HTTP_AUTHORIZATION=self.permitted_credentials)`
	`132`	`+request.resolver_match=ResolverMatch('get', (), {})`
	`133`	`+response=ignored_get_queryset_list_view(request)`
	`134`	`+self.assertEqual(response.status_code,status.HTTP_200_OK)`
	`135`	`+`
`110`	`136`	`deftest_get_queryset_has_create_permissions(self):`
`111`	`137`	`request=factory.post('/', {'text':'foobar'},format='json',`
`112`	`138`	`HTTP_AUTHORIZATION=self.permitted_credentials)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitc0d95cb

File tree

2 files changed

2 files changed

`‎rest_framework/permissions.py‎`

`‎tests/test_permissions.py‎`

0 commit comments