From b42dab33a5a21572f7014b40b31bb4eb48b7d3d2 Mon Sep 17 00:00:00 2001 From: Bogdan Petrea Date: Mon, 18 Mar 2024 12:51:56 +0200 Subject: [PATCH] Add initial support for simple DRF Views (non-Viewset) --- CHANGELOG.MD | 1 + django_woah/drf/permission.py | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.MD b/CHANGELOG.MD index 1dc3f62..86528fb 100644 --- a/CHANGELOG.MD +++ b/CHANGELOG.MD @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Add a check for the first field in HasRelatedResourcePerms.relation - Add uniqueness checks for PermEnum values - Provide a DRF AuthorizationModelViewSet class for convenience +- Add initial support for simple DRF Views (non-Viewset) ### Changed - Lax some in-code assumptions to allow using non-Model classes diff --git a/django_woah/drf/permission.py b/django_woah/drf/permission.py index 86537c1..367d746 100644 --- a/django_woah/drf/permission.py +++ b/django_woah/drf/permission.py @@ -28,7 +28,14 @@ def has_permission(self, request, view): return view.http_method_not_allowed(request) if not hasattr(view, "action"): - return view.permission_denied(request) + if request.method == "POST": + return view.is_authorized_for_unsaved_resource() + + return self.has_object_permission( + request, + view, + obj=view.get_authorization_model_object(skip_authorization=True), + ) if getattr(view, "action", None): if view.action == "list" or ( @@ -55,7 +62,11 @@ def has_object_permission(self, request, view, obj): # TODO: see what to do with "obj" parameter # return obj == view.get_authorization_model_object() breaks some cases - if view.action == "create": + if not hasattr(view, "action"): + if request.method == "POST": + return view.is_authorized_for_unsaved_resource() + + elif view.action == "create": return view.is_authorized_for_unsaved_resource() obj = view.get_authorization_model_object()