PATCH requests should not be able to create objects.

1 files changed, 8 insertions, 5 deletions

diff --git a/rest_framework/mixins.py b/rest_framework/mixins.py
index f11def6d..59d64469 100644
--- a/rest_framework/mixins.py
+++ b/rest_framework/mixins.py
@@ -142,11 +142,14 @@ class UpdateModelMixin(object):
         try:
             return self.get_object()
         except Http404:
-            # If this is a PUT-as-create operation, we need to ensure that
-            # we have relevant permissions, as if this was a POST request.
-            # This will either raise a PermissionDenied exception,
-            # or simply return None
-            self.check_permissions(clone_request(self.request, 'POST'))
+            if self.request.method == 'PUT':
+                # For PUT-as-create operation, we need to ensure that we have
+                # relevant permissions, as if this was a POST request.  This
+                # will either raise a PermissionDenied exception, or simply
+                # return None.
+                self.check_permissions(clone_request(self.request, 'POST'))
+            else:
+                raise
 
     def pre_save(self, obj):
         """