dry-rest-permissions icon indicating copy to clipboard operation
dry-rest-permissions copied to clipboard

Published 20 hours ago verified publisher icon dbkaplan

Library does not check for allowed methods

Open dbrgn opened this issue 7 years ago • 1 comments

If I add DRYPermissions to a ReadOnlyModelViewSet and then do a DELETE request to the endpoint, I get a HTTP500 with the following exception:

AssertionError: '<class 'data.models.Animal'>' does not have 'has_write_permission' or 'has_None_permission' defined.

Instead, a HTTP 405 (method not allowed) should be returned.

Might be related: https://github.com/tomchristie/django-rest-framework/issues/4927

dbrgn avatar Mar 17 '17 14:03 dbrgn

that can be related indeed as the DRYPermissions is just another implementation of Global and Object level permissions. And DRF will cycle through the permission_classes definition (eg permission_classes = (IsAuthenticated, DRYPermissions)). It looks for implementations of has_permission() and has_object_permission() methods on those classed.

jberends avatar Jan 31 '18 19:01 jberends