diff options
| author | Tom Christie | 2013-08-23 14:06:39 +0100 |
|---|---|---|
| committer | Tom Christie | 2013-08-23 14:06:39 +0100 |
| commit | f54fc3a76bdb872eb3b0ba562db08e3fd7c879af (patch) | |
| tree | 0fbd5eca83db4e7dfe2027d51f526daec59b858f /rest_framework | |
| parent | f2b190e3740e50508b3da1ec52048a3c90add3b1 (diff) | |
| parent | 7bbe0f868f02e3da902c6e0d11bf5b10bc55f616 (diff) | |
| download | django-rest-framework-f54fc3a76bdb872eb3b0ba562db08e3fd7c879af.tar.bz2 | |
Merge branch 'master' of https://github.com/tomchristie/django-rest-framework
Diffstat (limited to 'rest_framework')
| -rw-r--r-- | rest_framework/mixins.py | 15 | ||||
| -rw-r--r-- | rest_framework/tests/test_generics.py | 11 |
2 files changed, 21 insertions, 5 deletions
diff --git a/rest_framework/mixins.py b/rest_framework/mixins.py index f11def6d..426865ff 100644 --- a/rest_framework/mixins.py +++ b/rest_framework/mixins.py @@ -142,11 +142,16 @@ class UpdateModelMixin(object): try: return self.get_object() except Http404: - # If this is a PUT-as-create operation, we need to ensure that - # we have relevant permissions, as if this was a POST request. - # This will either raise a PermissionDenied exception, - # or simply return None - self.check_permissions(clone_request(self.request, 'POST')) + if self.request.method == 'PUT': + # For PUT-as-create operation, we need to ensure that we have + # relevant permissions, as if this was a POST request. This + # will either raise a PermissionDenied exception, or simply + # return None. + self.check_permissions(clone_request(self.request, 'POST')) + else: + # PATCH requests where the object does not exist should still + # return a 404 response. + raise def pre_save(self, obj): """ diff --git a/rest_framework/tests/test_generics.py b/rest_framework/tests/test_generics.py index 1550880b..7a87d389 100644 --- a/rest_framework/tests/test_generics.py +++ b/rest_framework/tests/test_generics.py @@ -338,6 +338,17 @@ class TestInstanceView(TestCase): new_obj = SlugBasedModel.objects.get(slug='test_slug') self.assertEqual(new_obj.text, 'foobar') + def test_patch_cannot_create_an_object(self): + """ + PATCH requests should not be able to create objects. + """ + data = {'text': 'foobar'} + request = factory.patch('/999', data, format='json') + with self.assertNumQueries(1): + response = self.view(request, pk=999).render() + self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) + self.assertFalse(self.objects.filter(id=999).exists()) + class TestOverriddenGetObject(TestCase): """ |