+ Rejecting anonymous in DjangoModelPermissions *before* the .get_queryset call

+ Rejecting anonymous in DjangoModelPermissions before the .get_queryset call
c8773671 · Denis Untevskiy · Ryan P Kilby · 2ea368e8 · c8773671
Commit c8773671 authored Aug 25, 2017 by Denis Untevskiy Committed by Ryan P Kilby Aug 30, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

rest_framework/permissions.py
+5 -5

No files found.
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -120,6 +120,10 @@ class DjangoModelPermissions(BasePermission):
        if getattr(view, '_ignore_model_permissions', False):
            return True

+        if not request.user or (
+           not is_authenticated(request.user) and self.authenticated_users_only):
+            return False
+
        if hasattr(view, 'get_queryset'):
            queryset = view.get_queryset()
            assert queryset is not None, (
@@ -135,11 +139,7 @@ class DjangoModelPermissions(BasePermission):

        perms = self.get_required_permissions(request.method, queryset.model)

-        return (
-            request.user and
-            (is_authenticated(request.user) or not self.authenticated_users_only) and
-            request.user.has_perms(perms)
-        )
+        return request.user.has_perms(perms)


 class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):