Python rest_framework.permissions.DjangoObjectPermissions() Examples

The following are 2 code examples of rest_framework.permissions.DjangoObjectPermissions(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module rest_framework.permissions , or try the search function .
Example #1
Source File: test_viewsets.py    From drf-haystack with MIT License 6 votes vote down vote up
def test_viewset_get_queryset_with_DjangoObjectPermissions_permission(self):
        from rest_framework.permissions import DjangoObjectPermissions
        setattr(self.view, "permission_classes", (DjangoObjectPermissions,))

        # The `DjangoObjectPermissions` is a subclass of `DjangoModelPermissions` and
        # therefore unsupported.
        request = factory.get(path="/", data="", content_type="application/json")
        try:
            self.view.as_view(actions={"get": "list"})(request)
            self.fail("Did not fail with AssertionError when calling HaystackView with DjangoModelPermissions")
        except (AttributeError, AssertionError) as e:
            if isinstance(e, AttributeError):
                self.assertEqual(str(e), "'SearchQuerySet' object has no attribute 'model'")
            else:
                self.assertEqual(str(e), "Cannot apply DjangoModelPermissions on a view that does "
                                         "not have `.model` or `.queryset` property.") 
Example #2
Source File: permissions.py    From resolwe with Apache License 2.0 4 votes vote down vote up
def has_object_permission(self, request, view, obj):
        """Check object permissions."""
        # admins can do anything
        if request.user.is_superuser:
            return True

        # `share` permission is required for editing permissions
        if "permissions" in view.action:
            self.perms_map["POST"] = ["%(app_label)s.share_%(model_name)s"]

        if view.action in ["add_data", "remove_data"]:
            self.perms_map["POST"] = ["%(app_label)s.add_%(model_name)s"]

        if hasattr(view, "get_queryset"):
            queryset = view.get_queryset()
        else:
            queryset = getattr(view, "queryset", None)

        assert queryset is not None, (
            "Cannot apply DjangoObjectPermissions on a view that "
            "does not set `.queryset` or have a `.get_queryset()` method."
        )

        model_cls = queryset.model
        user = request.user

        perms = self.get_required_object_permissions(request.method, model_cls)

        if not user.has_perms(perms, obj) and not AnonymousUser().has_perms(perms, obj):
            # If the user does not have permissions we need to determine if
            # they have read permissions to see 403, or not, and simply see
            # a 404 response.

            if request.method in permissions.SAFE_METHODS:
                # Read permissions already checked and failed, no need
                # to make another lookup.
                raise Http404

            read_perms = self.get_required_object_permissions("GET", model_cls)
            if not user.has_perms(read_perms, obj):
                raise Http404

            # Has read permissions.
            return False

        return True