Skip to content

D
django-rest-framework
Commit 29136ef2 by Tom Christie
Options

Enforce PUT-as-create permissions

parent 84a1896b
Showing with 25 additions and 0 deletions
rest_framework/mixins.py
...@@ -9,6 +9,7 @@ from __future__ import unicode_literals ...@@ -9,6 +9,7 @@ from __future__ import unicode_literals
from django.http import Http404 from django.http import Http404
from rest_framework import status from rest_framework import status
from rest_framework.response import Response from rest_framework.response import Response
from rest_framework.request import clone_request
class CreateModelMixin(object): class CreateModelMixin(object):
...@@ -90,6 +91,10 @@ class UpdateModelMixin(object): ...@@ -90,6 +91,10 @@ class UpdateModelMixin(object):
try: try:
self.object = self.get_object() self.object = self.get_object()
except Http404: except Http404:
# If this is a PUT-as-create operation, we need to ensure that
# we have relevant permissions, as if this was a POST request.
if not self.has_permission(clone_request(request, 'POST')):
self.permission_denied(self.request)
created = True created = True
success_status_code = status.HTTP_201_CREATED success_status_code = status.HTTP_201_CREATED
else: else:
......
rest_framework/tests/permissions.py
...@@ -44,9 +44,14 @@ class ModelPermissionsIntegrationTests(TestCase): ...@@ -44,9 +44,14 @@ class ModelPermissionsIntegrationTests(TestCase):
Permission.objects.get(codename='change_basicmodel'), Permission.objects.get(codename='change_basicmodel'),
Permission.objects.get(codename='delete_basicmodel') Permission.objects.get(codename='delete_basicmodel')
] ]
user = User.objects.create_user('updateonly', 'updateonly@example.com', 'password')
user.user_permissions = [
Permission.objects.get(codename='change_basicmodel'),
]
self.permitted_credentials = basic_auth_header('permitted', 'password') self.permitted_credentials = basic_auth_header('permitted', 'password')
self.disallowed_credentials = basic_auth_header('disallowed', 'password') self.disallowed_credentials = basic_auth_header('disallowed', 'password')
self.updateonly_credentials = basic_auth_header('updateonly', 'password')
BasicModel(text='foo').save() BasicModel(text='foo').save()
...@@ -87,3 +92,18 @@ class ModelPermissionsIntegrationTests(TestCase): ...@@ -87,3 +92,18 @@ class ModelPermissionsIntegrationTests(TestCase):
request = factory.delete('/1', HTTP_AUTHORIZATION=self.disallowed_credentials) request = factory.delete('/1', HTTP_AUTHORIZATION=self.disallowed_credentials)
response = instance_view(request, pk=1) response = instance_view(request, pk=1)
self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN)
def test_has_put_as_create_permissions(self):
# User only has update permissions - should be able to update an entity.
request = factory.put('/1', json.dumps({'text': 'foobar'}),
content_type='application/json',
HTTP_AUTHORIZATION=self.updateonly_credentials)
response = instance_view(request, pk='1')
self.assertEquals(response.status_code, status.HTTP_200_OK)
# But if PUTing to a new entity, permission should be denied.
request = factory.put('/2', json.dumps({'text': 'foobar'}),
content_type='application/json',
HTTP_AUTHORIZATION=self.updateonly_credentials)
response = instance_view(request, pk='2')
self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment