From 5a79ffb0f5dfb8759790902c297751a486594a2e Mon Sep 17 00:00:00 2001 From: chapeau Date: Sun, 29 Nov 2020 18:19:46 +0100 Subject: [PATCH] lets be sure that api permissions wont trigger on functional views --- api/permissions.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/api/permissions.py b/api/permissions.py index 1983bdc8..3ee61f33 100644 --- a/api/permissions.py +++ b/api/permissions.py @@ -239,6 +239,9 @@ class AutodetectACLPermission(permissions.BasePermission): if getattr(view, "_ignore_model_permissions", False): return True + if not getattr(view, "queryset", getattr(view, "get_queryset", None)): + return True + if not request.user or not request.user.is_authenticated: return False @@ -273,7 +276,8 @@ class AutodetectACLPermission(permissions.BasePermission): # they have read permissions to see 403, or not, and simply see # a 404 response. - SAFE_METHODS = ("GET", "OPTIONS", "HEAD", "POST", "PUT", "PATCH", "DELETE") + SAFE_METHODS = ("GET", "OPTIONS", "HEAD", + "POST", "PUT", "PATCH", "DELETE") if request.method in SAFE_METHODS: # Read permissions already checked and failed, no need