From 47cc7753bdfba3779a80264eadef994ca11e31d7 Mon Sep 17 00:00:00 2001 From: Christian Zosel Date: Tue, 16 Apr 2024 15:57:44 +0200 Subject: [PATCH] fix: don't check permissions for GET requests Permissions should only deal with POST/PATCH/DELETE - GET requests should be entirely governed by the visibility layer. --- generic_permissions/permissions.py | 3 +++ tests/test_permissions.py | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/generic_permissions/permissions.py b/generic_permissions/permissions.py index 5e9c58f..c09e406 100644 --- a/generic_permissions/permissions.py +++ b/generic_permissions/permissions.py @@ -39,6 +39,9 @@ def check_object_permissions(self, request, instance): Called by get_object(). """ + if request.method == "GET": + return + for handler in ObjectPermissionsConfig.get_handlers( self.get_serializer().Meta.model ): diff --git a/tests/test_permissions.py b/tests/test_permissions.py index 829cbb3..16956ad 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -25,6 +25,7 @@ ("post", HTTP_201_CREATED), ("patch", HTTP_200_OK), ("delete", HTTP_204_NO_CONTENT), + ("get", HTTP_200_OK), ], ) @pytest.mark.parametrize("use_admin_client", [True, False]) @@ -63,7 +64,7 @@ def has_object_permission_for_document(self, request, instance): url = reverse("model1-list") - if method in ["patch", "delete"]: + if method in ["patch", "delete", "get"]: url = reverse("model1-detail", args=[tm.pk]) data = {"text": "bar"} @@ -72,7 +73,7 @@ def has_object_permission_for_document(self, request, instance): response = getattr(client, method)(url, data=data) - if not use_admin_client: + if not use_admin_client and method != "get": assert response.status_code == HTTP_403_FORBIDDEN return