Fixed unauthorized exception on read_detail, updated unit tests, adde…

…d unit test
django-tastypie · Jun 7, 2023 · 3a29cca · 3a29cca
1 parent c26e911
commit 3a29cca
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/tastypie/authorization.py b/tastypie/authorization.py
@@ -188,7 +188,10 @@ def read_detail(self, object_list, bundle):
         Checks for both view and change permissions as both allow reading as per Django conventions:
         https://docs.djangoproject.com/en/4.2/topics/auth/default/#permissions-and-authorization
         """
-        return self.perm_obj_checks(bundle.request, 'view', bundle.obj) or self.perm_obj_checks(bundle.request, 'change', bundle.obj)
+        try:
+            return self.perm_obj_checks(bundle.request, 'view', bundle.obj)
+        except Unauthorized:
+            return self.perm_obj_checks(bundle.request, 'change', bundle.obj)
 
     def create_list(self, object_list, bundle):
         return self.perm_list_checks(bundle.request, 'add', object_list)

diff --git a/tests/core/tests/authorization.py b/tests/core/tests/authorization.py
@@ -95,6 +95,7 @@ class DjangoAuthorizationTestCase(TestCase):
 
     def setUp(self):
         super(DjangoAuthorizationTestCase, self).setUp()
+        self.view = Permission.objects.get_by_natural_key('view_note', 'core', 'note')
         self.add = Permission.objects.get_by_natural_key('add_note', 'core', 'note')
         self.change = Permission.objects.get_by_natural_key('change_note', 'core', 'note')
         self.delete = Permission.objects.get_by_natural_key('delete_note', 'core', 'note')
@@ -128,15 +129,40 @@ def test_no_perms(self):
         self.assertEqual(len(auth.delete_list(resource.get_object_list(bundle.request), bundle)), 0)
         self.assertRaises(Unauthorized, auth.delete_detail, resource.get_object_list(bundle.request)[0], bundle)
 
+    def test_view_perm(self):
+        request = HttpRequest()
+        request.user = self.user
+
+        # give view permission
+        request.user.user_permissions.add(self.view)
+
+        resource = DjangoNoteResource()
+        auth = resource._meta.authorization
+        bundle = resource.build_bundle(request=request)
+
+        bundle.request.method = 'GET'
+        self.assertEqual(len(auth.read_list(resource.get_object_list(bundle.request), bundle)), 4)
+        self.assertTrue(auth.read_detail(resource.get_object_list(bundle.request)[0], bundle))
+
+        bundle.request.method = 'POST'
+        self.assertEqual(len(auth.create_list(resource.get_object_list(bundle.request), bundle)), 0)
+        self.assertRaises(Unauthorized, auth.create_detail, resource.get_object_list(bundle.request)[0], bundle)
+
+        bundle.request.method = 'PUT'
+        self.assertEqual(len(auth.update_list(resource.get_object_list(bundle.request), bundle)), 0)
+        self.assertRaises(Unauthorized, auth.update_detail, resource.get_object_list(bundle.request)[0], bundle)
+
+        bundle.request.method = 'DELETE'
+        self.assertEqual(len(auth.delete_list(resource.get_object_list(bundle.request), bundle)), 0)
+        self.assertRaises(Unauthorized, auth.delete_detail, resource.get_object_list(bundle.request)[0], bundle)
+
     def test_add_perm(self):
         request = HttpRequest()
         request.user = self.user
 
         # give add permission
         request.user.user_permissions.add(self.add)
 
-        request = HttpRequest()
-        request.user = self.user
         resource = DjangoNoteResource()
         auth = resource._meta.authorization
         bundle = resource.build_bundle(request=request)
@@ -215,6 +241,7 @@ def test_all(self):
         request = HttpRequest()
         request.user = self.user
 
+        request.user.user_permissions.add(self.view)
         request.user.user_permissions.add(self.add)
         request.user.user_permissions.add(self.change)
         request.user.user_permissions.add(self.delete)