Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #8771 - Checking for authentication even if _ignore_model_permissions = True #8772

Merged
merged 1 commit into from Nov 22, 2022
Merged

Fix #8771 - Checking for authentication even if _ignore_model_permissions = True #8772

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 4 additions & 4 deletions rest_framework/permissions.py
View file
Open in desktop
Expand Up @@ -228,15 +228,15 @@ def _queryset(self, view):
return view.queryset

def has_permission(self, request, view):
if not request.user or (
not request.user.is_authenticated and self.authenticated_users_only):
return False

# Workaround to ensure DjangoModelPermissions are not applied
# to the root view when using DefaultRouter.
if getattr(view, '_ignore_model_permissions', False):
return True

if not request.user or (
not request.user.is_authenticated and self.authenticated_users_only):
return False

queryset = self._queryset(view)
perms = self.get_required_permissions(request.method, queryset.model)

Expand Down
26 changes: 26 additions & 0 deletions tests/test_permissions.py
View file
Open in desktop
Expand Up @@ -55,11 +55,16 @@ class EmptyListView(generics.ListCreateAPIView):
permission_classes = [permissions.DjangoModelPermissions]


class IgnoredGetQuerySetListView(GetQuerySetListView):
_ignore_model_permissions = True


root_view = RootView.as_view()
api_root_view = DefaultRouter().get_api_root_view()
instance_view = InstanceView.as_view()
get_queryset_list_view = GetQuerySetListView.as_view()
empty_list_view = EmptyListView.as_view()
ignored_get_queryset_list_view = IgnoredGetQuerySetListView.as_view()


def basic_auth_header(username, password):
Expand Down Expand Up @@ -107,6 +112,27 @@ def test_api_root_view_discard_default_django_model_permission(self):
response = api_root_view(request)
self.assertEqual(response.status_code, status.HTTP_200_OK)

def test_ignore_model_permissions_with_unauthenticated_user(self):
"""
We check that the ``_ignore_model_permissions`` attribute
doesn't ignore the authentication.
"""
request = factory.get('/', format='json')
request.resolver_match = ResolverMatch('get', (), {})
response = ignored_get_queryset_list_view(request)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

def test_ignore_model_permissions_with_authenticated_user(self):
"""
We check that the ``_ignore_model_permissions`` attribute
with an authenticated user.
"""
request = factory.get('/', format='json',
HTTP_AUTHORIZATION=self.permitted_credentials)
request.resolver_match = ResolverMatch('get', (), {})
response = ignored_get_queryset_list_view(request)
self.assertEqual(response.status_code, status.HTTP_200_OK)

def test_get_queryset_has_create_permissions(self):
request = factory.post('/', {'text': 'foobar'}, format='json',
HTTP_AUTHORIZATION=self.permitted_credentials)
Expand Down