Add DjangoModelPermissionsOrAnonReadOnly

b65b0653 · Tom Christie · 8dff8d2f · b65b0653 · b65b0653
Commit b65b0653 authored Apr 30, 2013 by Tom Christie
Show whitespace changes
Inline Side-by-side

Showing with 14 additions and 7 deletions

docs/api-guide/permissions.md
+4 -5

rest_framework/permissions.py
+10 -2

No files found.
--- a/docs/api-guide/permissions.md
+++ b/docs/api-guide/permissions.md
@@ -97,15 +97,14 @@ This permission class ties into Django's standard `django.contrib.auth` [model p
 * `PUT` and `PATCH` requests require the user to have the `change` permission on the model.
 * `DELETE` requests require the user to have the `delete` permission on the model.

-If you want to use `DjangoModelPermissions` but also allow unauthenticated users to have read permission, override the class and set the `authenticated_users_only` property to `False`.  For example:
-
-    class HasModelPermissionsOrReadOnly(DjangoModelPermissions):
-        authenticated_users_only = False
-
 The default behaviour can also be overridden to support custom model permissions.  For example, you might want to include a `view` model permission for `GET` requests.

 To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property.  Refer to the source code for details.

+## DjangoModelPermissionsOrAnonReadOnly
+
+Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have  read-only access to the API.
+
 ## TokenHasReadWriteScope

 This permission class is intended for use with either of the `OAuthAuthentication` and `OAuth2Authentication` classes, and ties into the scoping that their backends provide.

--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -89,8 +89,8 @@ class DjangoModelPermissions(BasePermission):
    It ensures that the user is authenticated, and has the appropriate
    `add`/`change`/`delete` permissions on the model.

-    This permission will only be applied against view classes that
-    provide a `.model` attribute, such as the generic class-based views.
+    This permission can only be applied against view classes that
+    provide a `.model` or `.queryset` attribute.
    """

    # Map methods into required permission codes.
@@ -138,6 +138,14 @@ class DjangoModelPermissions(BasePermission):
        return False


+class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):
+    """
+    Similar to DjangoModelPermissions, except that anonymous users are
+    allowed read-only access.
+    """
+    authenticated_users_only = False
+
+
 class TokenHasReadWriteScope(BasePermission):
    """
    The request is authenticated as a user and the token used has the right scope