3 files changed, 23 insertions, 5 deletions

diff --git a/docs/topics/credits.md b/docs/topics/credits.md
index 16ea78c4..e6d09bc2 100644
--- a/docs/topics/credits.md
+++ b/docs/topics/credits.md
@@ -160,6 +160,7 @@ The following people have helped make REST framework great.
 * Christopher Paolini - [chrispaolini]
 * Filipe A Ximenes - [filipeximenes]
 * Ramiro Morales - [ramiro]
+* Krzysztof Jurewicz - [krzysiekj]
 
 Many thanks to everyone who's contributed to the project.
 
@@ -356,3 +357,4 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
 [chrispaolini]: https://github.com/chrispaolini
 [filipeximenes]: https://github.com/filipeximenes
 [ramiro]: https://github.com/ramiro
+[krzysiekj]: https://github.com/krzysiekj
diff --git a/rest_framework/mixins.py b/rest_framework/mixins.py
index f11def6d..426865ff 100644
--- a/rest_framework/mixins.py
+++ b/rest_framework/mixins.py
@@ -142,11 +142,16 @@ class UpdateModelMixin(object):
         try:
             return self.get_object()
         except Http404:
-            # If this is a PUT-as-create operation, we need to ensure that
-            # we have relevant permissions, as if this was a POST request.
-            # This will either raise a PermissionDenied exception,
-            # or simply return None
-            self.check_permissions(clone_request(self.request, 'POST'))
+            if self.request.method == 'PUT':
+                # For PUT-as-create operation, we need to ensure that we have
+                # relevant permissions, as if this was a POST request.  This
+                # will either raise a PermissionDenied exception, or simply
+                # return None.
+                self.check_permissions(clone_request(self.request, 'POST'))
+            else:
+                # PATCH requests where the object does not exist should still
+                # return a 404 response.
+                raise
 
     def pre_save(self, obj):
         """
diff --git a/rest_framework/tests/test_generics.py b/rest_framework/tests/test_generics.py
index 1550880b..7a87d389 100644
--- a/rest_framework/tests/test_generics.py
+++ b/rest_framework/tests/test_generics.py
@@ -338,6 +338,17 @@ class TestInstanceView(TestCase):
         new_obj = SlugBasedModel.objects.get(slug='test_slug')
         self.assertEqual(new_obj.text, 'foobar')
 
+    def test_patch_cannot_create_an_object(self):
+        """
+        PATCH requests should not be able to create objects.
+        """
+        data = {'text': 'foobar'}
+        request = factory.patch('/999', data, format='json')
+        with self.assertNumQueries(1):
+            response = self.view(request, pk=999).render()
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertFalse(self.objects.filter(id=999).exists())
+
 
 class TestOverriddenGetObject(TestCase):
     """