Object-level permissions respected by Browseable API

author: Tom Christie 2012-10-26 12:46:15 +0100
committer: Tom Christie 2012-10-26 12:46:15 +0100
commit: 2efb5f8a14ffc321a1a9e88548abfa8b0782aae4 (patch)
tree: 14c56fe4a15ea21a20af77a1cfa75062fa94e273 /rest_framework/renderers.py
parent: 32d602880fc88e2b3e8d8f2a82132bed224f8b49 (diff)
download: django-rest-framework-2efb5f8a14ffc321a1a9e88548abfa8b0782aae4.tar.bz2
1 files changed, 7 insertions, 10 deletions
diff --git a/rest_framework/renderers.py b/rest_framework/renderers.py
index c64fb517..1a8b1d97 100644
--- a/rest_framework/renderers.py
+++ b/rest_framework/renderers.py
@@ -224,7 +224,7 @@ class BrowsableAPIRenderer(BaseRenderer):
 
         return content
 
-    def show_form_for_method(self, view, method, request):
+    def show_form_for_method(self, view, method, request, obj):
         """
         Returns True if a form should be shown for this method.
         """
@@ -236,7 +236,7 @@ class BrowsableAPIRenderer(BaseRenderer):
 
         request = clone_request(request, method)
         try:
-            if not view.has_permission(request):
+            if not view.has_permission(request, obj):
                 return  # Don't have permission
         except:
             return  # Don't have permission and exception explicitly raise
@@ -295,7 +295,8 @@ class BrowsableAPIRenderer(BaseRenderer):
         In the absence on of the Resource having an associated form then
         provide a form that can be used to submit arbitrary content.
         """
-        if not self.show_form_for_method(view, method, request):
+        obj = getattr(view, 'object', None)
+        if not self.show_form_for_method(view, method, request, obj):
             return
 
         if method == 'DELETE' or method == 'OPTIONS':
@@ -305,17 +306,13 @@ class BrowsableAPIRenderer(BaseRenderer):
             media_types = [parser.media_type for parser in view.parser_classes]
             return self.get_generic_content_form(media_types)
 
-        # Creating an on the fly form see: http://stackoverflow.com/questions/3915024/dynamically-creating-classes-python
-        obj, data = None, None
-        if getattr(view, 'object', None):
-            obj = view.object
-
         serializer = view.get_serializer(instance=obj)
         fields = self.serializer_to_form_fields(serializer)
 
+        # Creating an on the fly form see:
+        # http://stackoverflow.com/questions/3915024/dynamically-creating-classes-python
         OnTheFlyForm = type("OnTheFlyForm", (forms.Form,), fields)
-        if obj:
-            data = serializer.data
+        data = (obj is not None) and serializer.data or None
         form_instance = OnTheFlyForm(data)
         return form_instance
author	Tom Christie	2012-10-26 12:46:15 +0100
committer	Tom Christie	2012-10-26 12:46:15 +0100
commit	2efb5f8a14ffc321a1a9e88548abfa8b0782aae4 (patch)
tree	14c56fe4a15ea21a20af77a1cfa75062fa94e273 /rest_framework/renderers.py
parent	32d602880fc88e2b3e8d8f2a82132bed224f8b49 (diff)
download	django-rest-framework-2efb5f8a14ffc321a1a9e88548abfa8b0782aae4.tar.bz2