[Usage/Issue] Object level permissions

[Luis Félix]

Hello,

I think I found some undesired behaviour, but would like to make sure it isn't an usage problem before opening and issue and PR on Github.

Consider, if you please, the following code (trimmed down to the relevant stuff):

https://gist.github.com/lcsfelix/afc5a62ba1379f85173b58145453ff16

Now, the question:

The BasePermission class implements two methods: has_permissions and has_object_permissions. They both simply return True.

The IsAuthenticated, IsAdminUser, and IsAuthenticatedOrReadOnly classes extend BasePermission but only override has_permissions.

When the above code receives a PATCH request, it allows any user to complete the operation despite not being an admin, because  IsAdminUser.has_object_permissions always returns True and therefore no other rules are checked.

Shouldn't these Permissions classes consider object level permissions?

Best regards,
Luis Félix

[Yezileli Ilomo]

What's with the bitwise operator on permission classes? Are you using a 3rd party package or something?.

--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/9aacd68d-fdda-4670-9b12-849e83b4d3den%40googlegroups.com.

[Luis Félix]

No, it's right here in the documentation, same link I left in the gist.

[Roman Iefimov]

I agree. There should be default methods implemented just so issues like this don't happen to others.