Enforce PUT-as-create permissions

author: Tom Christie 2013-02-10 16:50:46 +0000
committer: Tom Christie 2013-02-10 16:50:46 +0000
commit: 29136ef2c6338b8dbc9f7cf9c4dd75867a6bfa9f (patch)
tree: 97af2eecca3681d344a8a1ec82a85f43611df1b3 /rest_framework/mixins.py
parent: 84a1896b7de5c2e3fc5f564027e5fccd7b2447f9 (diff)
download: django-rest-framework-29136ef2c6338b8dbc9f7cf9c4dd75867a6bfa9f.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/rest_framework/mixins.py b/rest_framework/mixins.py
index 61ac225b..ce633112 100644
--- a/rest_framework/mixins.py
+++ b/rest_framework/mixins.py
@@ -9,6 +9,7 @@ from __future__ import unicode_literals
 from django.http import Http404
 from rest_framework import status
 from rest_framework.response import Response
+from rest_framework.request import clone_request
 
 
 class CreateModelMixin(object):
@@ -90,6 +91,10 @@ class UpdateModelMixin(object):
         try:
             self.object = self.get_object()
         except Http404:
+            # If this is a PUT-as-create operation, we need to ensure that
+            # we have relevant permissions, as if this was a POST request.
+            if not self.has_permission(clone_request(request, 'POST')):
+                self.permission_denied(self.request)
             created = True
             success_status_code = status.HTTP_201_CREATED
         else:
author	Tom Christie	2013-02-10 16:50:46 +0000
committer	Tom Christie	2013-02-10 16:50:46 +0000
commit	29136ef2c6338b8dbc9f7cf9c4dd75867a6bfa9f (patch)
tree	97af2eecca3681d344a8a1ec82a85f43611df1b3 /rest_framework/mixins.py
parent	84a1896b7de5c2e3fc5f564027e5fccd7b2447f9 (diff)
download	django-rest-framework-29136ef2c6338b8dbc9f7cf9c4dd75867a6bfa9f.tar.bz2