diff options
| author | Tom Christie | 2013-04-30 14:34:28 +0100 |
|---|---|---|
| committer | Tom Christie | 2013-04-30 14:34:28 +0100 |
| commit | b65b065375796919a57f4bd6f1dd8187ef0eb165 (patch) | |
| tree | 7da258c8dd5dbee05ab88b126b53b67dd5ce5720 | |
| parent | 8dff8d2fdcfcee356c134f4be8235d2a4f122d1a (diff) | |
| download | django-rest-framework-b65b065375796919a57f4bd6f1dd8187ef0eb165.tar.bz2 | |
Add DjangoModelPermissionsOrAnonReadOnly
| -rw-r--r-- | docs/api-guide/permissions.md | 9 | ||||
| -rw-r--r-- | rest_framework/permissions.py | 12 |
2 files changed, 14 insertions, 7 deletions
diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index 4b3eda6d..5dbaf338 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -96,16 +96,15 @@ This permission class ties into Django's standard `django.contrib.auth` [model p * `POST` requests require the user to have the `add` permission on the model. * `PUT` and `PATCH` requests require the user to have the `change` permission on the model. * `DELETE` requests require the user to have the `delete` permission on the model. - -If you want to use `DjangoModelPermissions` but also allow unauthenticated users to have read permission, override the class and set the `authenticated_users_only` property to `False`. For example: - - class HasModelPermissionsOrReadOnly(DjangoModelPermissions): - authenticated_users_only = False The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a `view` model permission for `GET` requests. To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details. +## DjangoModelPermissionsOrAnonReadOnly + +Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have read-only access to the API. + ## TokenHasReadWriteScope This permission class is intended for use with either of the `OAuthAuthentication` and `OAuth2Authentication` classes, and ties into the scoping that their backends provide. diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py index 91bf5ad6..751f31a7 100644 --- a/rest_framework/permissions.py +++ b/rest_framework/permissions.py @@ -89,8 +89,8 @@ class DjangoModelPermissions(BasePermission): It ensures that the user is authenticated, and has the appropriate `add`/`change`/`delete` permissions on the model. - This permission will only be applied against view classes that - provide a `.model` attribute, such as the generic class-based views. + This permission can only be applied against view classes that + provide a `.model` or `.queryset` attribute. """ # Map methods into required permission codes. @@ -138,6 +138,14 @@ class DjangoModelPermissions(BasePermission): return False +class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions): + """ + Similar to DjangoModelPermissions, except that anonymous users are + allowed read-only access. + """ + authenticated_users_only = False + + class TokenHasReadWriteScope(BasePermission): """ The request is authenticated as a user and the token used has the right scope |