Enforce PUT-as-create permissions

author: Tom Christie 2013-02-10 16:50:46 +0000
committer: Tom Christie 2013-02-10 16:50:46 +0000
commit: 29136ef2c6338b8dbc9f7cf9c4dd75867a6bfa9f (patch)
tree: 97af2eecca3681d344a8a1ec82a85f43611df1b3 /rest_framework/tests/permissions.py
parent: 84a1896b7de5c2e3fc5f564027e5fccd7b2447f9 (diff)
download: django-rest-framework-29136ef2c6338b8dbc9f7cf9c4dd75867a6bfa9f.tar.bz2
1 files changed, 20 insertions, 0 deletions
diff --git a/rest_framework/tests/permissions.py b/rest_framework/tests/permissions.py
index c04d2110..a7777b57 100644
--- a/rest_framework/tests/permissions.py
+++ b/rest_framework/tests/permissions.py
@@ -44,9 +44,14 @@ class ModelPermissionsIntegrationTests(TestCase):
             Permission.objects.get(codename='change_basicmodel'),
             Permission.objects.get(codename='delete_basicmodel')
         ]
+        user = User.objects.create_user('updateonly', 'updateonly@example.com', 'password')
+        user.user_permissions = [
+            Permission.objects.get(codename='change_basicmodel'),
+        ]
 
         self.permitted_credentials = basic_auth_header('permitted', 'password')
         self.disallowed_credentials = basic_auth_header('disallowed', 'password')
+        self.updateonly_credentials = basic_auth_header('updateonly', 'password')
 
         BasicModel(text='foo').save()
 
@@ -87,3 +92,18 @@ class ModelPermissionsIntegrationTests(TestCase):
         request = factory.delete('/1', HTTP_AUTHORIZATION=self.disallowed_credentials)
         response = instance_view(request, pk=1)
         self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_has_put_as_create_permissions(self):
+        # User only has update permissions - should be able to update an entity.
+        request = factory.put('/1', json.dumps({'text': 'foobar'}),
+                              content_type='application/json',
+                              HTTP_AUTHORIZATION=self.updateonly_credentials)
+        response = instance_view(request, pk='1')
+        self.assertEquals(response.status_code, status.HTTP_200_OK)
+
+        # But if PUTing to a new entity, permission should be denied.
+        request = factory.put('/2', json.dumps({'text': 'foobar'}),
+                              content_type='application/json',
+                              HTTP_AUTHORIZATION=self.updateonly_credentials)
+        response = instance_view(request, pk='2')
+        self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN)
author	Tom Christie	2013-02-10 16:50:46 +0000
committer	Tom Christie	2013-02-10 16:50:46 +0000
commit	29136ef2c6338b8dbc9f7cf9c4dd75867a6bfa9f (patch)
tree	97af2eecca3681d344a8a1ec82a85f43611df1b3 /rest_framework/tests/permissions.py
parent	84a1896b7de5c2e3fc5f564027e5fccd7b2447f9 (diff)
download	django-rest-framework-29136ef2c6338b8dbc9f7cf9c4dd75867a6bfa9f.tar.bz2