We shouldn't need the same permissions for a PUT which create or modify a record same for models.

[Natim]

[almet]

I believe this is no longer valid. Can we close?

[Natim]

No it is still valid. This is an ACL inconsistency AMA.

If you make a PUT on a create you should just have the create_record, if you make a PUT on a erase, you should need the create_record and delete_record (same for models)

[leplatrem]

Should we check something like this in records.put view ? https://github.com/spiral-project/daybed/blob/1.0.1/daybed/views/records.py#L34

[Natim]

Yes I think so Le 16 sept. 2014 15:26, "Mathieu Leplatre" [email protected] a écrit :

Should we check something like this in records.put view ? https://github.com/spiral-project/daybed/blob/1.0.1/daybed/views/records.py#L34

— Reply to this email directly or view it on GitHub https://github.com/spiral-project/daybed/issues/114#issuecomment-55741298 .

[Natim]

I had this bug with https://github.com/spiral-project/daybed-cloud-share, I am going to fix it.

[Natim]

r? @leplatrem

[leplatrem]

I'm not sure about what is done in this PR actually :(

Could explicit your specifications in the tests please ?

I would have expected something like :

• test that a user without creation permission cannot create a record with PUT
• test that a user without update permission can create a record with PUT

And since the title says "same for models", I would have expected the same for models :)

Please note that views permissions tests are not supposed to be functional test suites, something in RecordsViewsTest would be more efficient, since not executed several times with different backend etc.

[Natim]

Ok I will rework this tests.