diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/api-guide/permissions.md | 7 | ||||
| -rw-r--r-- | docs/topics/credits.md | 2 | ||||
| -rw-r--r-- | docs/topics/release-notes.md | 2 |
3 files changed, 10 insertions, 1 deletions
diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index 2db6ce1e..719ac1ef 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -90,12 +90,17 @@ This permission is suitable if you want to your API to allow read permissions to ## DjangoModelPermissions -This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user has the relevant model permissions assigned. +This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned. * `POST` requests require the user to have the `add` permission on the model. * `PUT` and `PATCH` requests require the user to have the `change` permission on the model. * `DELETE` requests require the user to have the `delete` permission on the model. +If you want to use `DjangoModelPermissions` but also allow unauthenticated users to have read permission, override the class and set the `authenticated_users_only` property to `False`. For example: + + class HasModelPermissionsOrReadOnly(DjangoModelPermissions): + authenticated_users_only = False + The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a `view` model permission for `GET` requests. To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details. diff --git a/docs/topics/credits.md b/docs/topics/credits.md index bdd3e27e..b0f0cfa2 100644 --- a/docs/topics/credits.md +++ b/docs/topics/credits.md @@ -109,6 +109,7 @@ The following people have helped make REST framework great. * Wiliam Souza - [waa] * Jonas Braun - [iekadou] * Ian Dash - [bitmonkey] +* Bouke Haarsma - [bouke] * Pierre Dulac - [dulaccc] Many thanks to everyone who's contributed to the project. @@ -253,4 +254,5 @@ You can also contact [@_tomchristie][twitter] directly on twitter. [waa]: https://github.com/wiliamsouza [iekadou]: https://github.com/iekadou [bitmonkey]: https://github.com/bitmonkey +[bouke]: https://github.com/bouke [dulaccc]: https://github.com/dulaccc diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md index eb4d378e..ff487826 100644 --- a/docs/topics/release-notes.md +++ b/docs/topics/release-notes.md @@ -44,6 +44,8 @@ You can determine your currently installed version using `pip freeze`: * Filtering backends are now applied to the querysets for object lookups as well as lists. (Eg you can use a filtering backend to control which objects should 404) * Deal with error data nicely when deserializing lists of objects. +* Extra override hook to configure `DjangoModelPermissions` for unauthenticated users. +* Bugfix: Fix pk relationship bug for some types of 1-to-1 relations. * Bugfix: Workaround for Django bug causing case where `Authtoken` could be registered for cascade delete from `User` even if not installed. ### 2.2.3 |