From f8101114d1ec13e296cb393b43b0ebd9618fa997 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Fri, 30 Aug 2013 09:31:35 +0100
Subject: Update release notes
---
docs/topics/release-notes.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index a901412f..708aef38 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -45,6 +45,8 @@ You can determine your currently installed version using `pip freeze`:
* Support customizable view name and description functions, using the `VIEW_NAME_FUNCTION` and `VIEW_DESCRIPTION_FUNCTION` settings.
* Added `MAX_PAGINATE_BY` setting and `max_paginate_by` generic view attribute.
* Added `cache` attribute to throttles to allow overriding of default cache.
+* 'Raw data' tab in browsable API now contains pre-populated data.
+* 'Raw data' and 'HTML form' tab preference in browseable API now saved between page views.
* Bugfix: `required=True` argument fixed for boolean serializer fields.
* Bugfix: `client.force_authenticate(None)` should also clear session info if it exists.
* Bugfix: Client sending emptry string instead of file now clears `FileField`.
--
cgit v1.2.3
From 3063a50fc20f0bfb7308e668cf083c5ae0876dac Mon Sep 17 00:00:00 2001
From: Edmond Wong
Date: Fri, 30 Aug 2013 18:03:44 -0700
Subject: Allow OPTIONS to retrieve PUT field metadata on empty objects
This allows OPTIONS to return the PUT endpoint's object serializer metadata when the object hasn't been created yet.---
rest_framework/generics.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/rest_framework/generics.py b/rest_framework/generics.py
index 14feed20..4d909ef1 100644
--- a/rest_framework/generics.py
+++ b/rest_framework/generics.py
@@ -356,8 +356,13 @@ class GenericAPIView(views.APIView):
self.check_permissions(cloned_request)
# Test object permissions
if method == 'PUT':
- self.get_object()
- except (exceptions.APIException, PermissionDenied, Http404):
+ try:
+ self.get_object()
+ except Http404:
+ # Http404 should be acceptable and the serializer
+ # metadata should be populated.
+ pass
+ except (exceptions.APIException, PermissionDenied):
pass
else:
# If user has appropriate permissions for the view, include
--
cgit v1.2.3
From 85ab879a85ac4a7a3f6a965ab78839ac16aed912 Mon Sep 17 00:00:00 2001
From: tom-leys
Date: Sat, 31 Aug 2013 19:40:53 +1200
Subject: Updated tutorial part 6: 2 examples were missing includes
---
docs/tutorial/6-viewsets-and-routers.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docs/tutorial/6-viewsets-and-routers.md b/docs/tutorial/6-viewsets-and-routers.md
index 8a1a1ae0..870632f1 100644
--- a/docs/tutorial/6-viewsets-and-routers.md
+++ b/docs/tutorial/6-viewsets-and-routers.md
@@ -61,6 +61,7 @@ To see what's going on under the hood let's first explicitly create a set of vie
In the `urls.py` file we bind our `ViewSet` classes into a set of concrete views.
from snippets.views import SnippetViewSet, UserViewSet
+ from rest_framework import renderers
snippet_list = SnippetViewSet.as_view({
'get': 'list',
@@ -101,6 +102,7 @@ Because we're using `ViewSet` classes rather than `View` classes, we actually do
Here's our re-wired `urls.py` file.
+ from django.conf.urls import patterns, url, include
from snippets import views
from rest_framework.routers import DefaultRouter
--
cgit v1.2.3
From a15cda4be4e14f5de5db41a4f664ee95107e0984 Mon Sep 17 00:00:00 2001
From: Yuri Prezument
Date: Sat, 31 Aug 2013 17:10:15 +0300
Subject: Regression test for #1072
---
rest_framework/tests/test_relations_pk.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/rest_framework/tests/test_relations_pk.py b/rest_framework/tests/test_relations_pk.py
index e2a1b815..3815afdd 100644
--- a/rest_framework/tests/test_relations_pk.py
+++ b/rest_framework/tests/test_relations_pk.py
@@ -283,6 +283,15 @@ class PKForeignKeyTests(TestCase):
self.assertFalse(serializer.is_valid())
self.assertEqual(serializer.errors, {'target': ['This field is required.']})
+ def test_foreign_key_with_empty(self):
+ """
+ Regression test for #1072
+
+ https://github.com/tomchristie/django-rest-framework/issues/1072
+ """
+ serializer = NullableForeignKeySourceSerializer()
+ self.assertEqual(serializer.data['target'], None)
+
class PKNullableForeignKeyTests(TestCase):
def setUp(self):
--
cgit v1.2.3
From 745ebeca77e6bcbec4eb94fb98206d6913e3d049 Mon Sep 17 00:00:00 2001
From: Yuri Prezument
Date: Sat, 31 Aug 2013 17:20:49 +0300
Subject: Handle case where obj=None in PKRelatedField.field_to_native()
Fixes #1072
---
rest_framework/relations.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rest_framework/relations.py b/rest_framework/relations.py
index 3ad16ee5..35c00bf1 100644
--- a/rest_framework/relations.py
+++ b/rest_framework/relations.py
@@ -264,7 +264,7 @@ class PrimaryKeyRelatedField(RelatedField):
# RelatedObject (reverse relationship)
try:
pk = getattr(obj, self.source or field_name).pk
- except ObjectDoesNotExist:
+ except (ObjectDoesNotExist, AttributeError):
return None
# Forward relationship
--
cgit v1.2.3
From 8b245fed14abff62a34e81f4ce8da1c396ba7712 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Mon, 2 Sep 2013 09:17:51 +0100
Subject: Add windows virtualenv activate instruction
Closes #1075.---
docs/tutorial/quickstart.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/tutorial/quickstart.md b/docs/tutorial/quickstart.md
index f15e75c0..06eec3c4 100644
--- a/docs/tutorial/quickstart.md
+++ b/docs/tutorial/quickstart.md
@@ -12,7 +12,7 @@ Create a new Django project named `tutorial`, then start a new app called `quick
# Create a virtualenv to isolate our package dependencies locally
virtualenv env
- source env/bin/activate
+ source env/bin/activate # On Windows use `env\Scripts\activate`
# Install Django and Django REST framework into the virtualenv
pip install django
--
cgit v1.2.3
From d0123a1385b18f25da766c177056c308fbb74b67 Mon Sep 17 00:00:00 2001
From: Kevin Brown
Date: Mon, 2 Sep 2013 10:23:54 -0400
Subject: Changed DOAC documentation link
---
docs/api-guide/authentication.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md
index f30b16ed..7caeac1e 100755
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@@ -404,4 +404,4 @@ The [Django OAuth2 Consumer][doac] library from [Rediker Software][rediker] is a
[oauthlib]: https://github.com/idan/oauthlib
[doac]: https://github.com/Rediker-Software/doac
[rediker]: https://github.com/Rediker-Software
-[doac-rest-framework]: https://github.com/Rediker-Software/doac/blob/master/docs/markdown/integrations.md#
+[doac-rest-framework]: https://github.com/Rediker-Software/doac/blob/master/docs/integrations.md#
--
cgit v1.2.3
From 6e7e4fc01c5ddaf668f17f1d1f201a14a26f72f3 Mon Sep 17 00:00:00 2001
From: Edmond Wong
Date: Tue, 3 Sep 2013 12:30:18 -0700
Subject: Added test for OPTIONS before object creation from a PUT
---
rest_framework/generics.py | 4 +++-
rest_framework/tests/test_generics.py | 42 +++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/rest_framework/generics.py b/rest_framework/generics.py
index 4d909ef1..7d1bf794 100644
--- a/rest_framework/generics.py
+++ b/rest_framework/generics.py
@@ -360,7 +360,9 @@ class GenericAPIView(views.APIView):
self.get_object()
except Http404:
# Http404 should be acceptable and the serializer
- # metadata should be populated.
+ # metadata should be populated. Except this so the
+ # outer "else" clause of the try-except-else block
+ # will be executed.
pass
except (exceptions.APIException, PermissionDenied):
pass
diff --git a/rest_framework/tests/test_generics.py b/rest_framework/tests/test_generics.py
index 7a87d389..79cd99ac 100644
--- a/rest_framework/tests/test_generics.py
+++ b/rest_framework/tests/test_generics.py
@@ -272,6 +272,48 @@ class TestInstanceView(TestCase):
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, expected)
+ def test_options_before_instance_create(self):
+ """
+ OPTIONS requests to RetrieveUpdateDestroyAPIView should return metadata
+ before the instance has been created
+ """
+ request = factory.options('/999')
+ with self.assertNumQueries(1):
+ response = self.view(request, pk=999).render()
+ expected = {
+ 'parses': [
+ 'application/json',
+ 'application/x-www-form-urlencoded',
+ 'multipart/form-data'
+ ],
+ 'renders': [
+ 'application/json',
+ 'text/html'
+ ],
+ 'name': 'Instance',
+ 'description': 'Example description for OPTIONS.',
+ 'actions': {
+ 'PUT': {
+ 'text': {
+ 'max_length': 100,
+ 'read_only': False,
+ 'required': True,
+ 'type': 'string',
+ 'label': 'Text comes here',
+ 'help_text': 'Text description.'
+ },
+ 'id': {
+ 'read_only': True,
+ 'required': False,
+ 'type': 'integer',
+ 'label': 'ID',
+ },
+ }
+ }
+ }
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
+ self.assertEqual(response.data, expected)
+
def test_get_instance_view_incorrect_arg(self):
"""
GET requests with an incorrect pk type, should raise 404, not 500.
--
cgit v1.2.3
From c4cb26f73bee65b068f140f1f931ede43e41f58a Mon Sep 17 00:00:00 2001
From: Tyler Hayes
Date: Wed, 4 Sep 2013 03:38:34 -0700
Subject: Tiny typo fix
---
docs/api-guide/serializers.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/api-guide/serializers.md b/docs/api-guide/serializers.md
index 5d7e2ac8..a3cd1d6a 100644
--- a/docs/api-guide/serializers.md
+++ b/docs/api-guide/serializers.md
@@ -250,7 +250,7 @@ This allows you to write views that update or create multiple items when a `PUT`
serializer = BookSerializer(queryset, data=data, many=True)
serializer.is_valid()
# True
- serialize.save() # `.save()` will be called on each updated or newly created instance.
+ serializer.save() # `.save()` will be called on each updated or newly created instance.
By default bulk updates will be limited to updating instances that already exist in the provided queryset.
--
cgit v1.2.3
From b47f1b0257e8688acb67ffd806efe0ffc2c1915b Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 5 Sep 2013 20:25:45 +0100
Subject: Added @edmundwong for work on #1076. Thanks!
---
docs/topics/credits.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docs/topics/credits.md b/docs/topics/credits.md
index b2d3d5d2..07e2ec47 100644
--- a/docs/topics/credits.md
+++ b/docs/topics/credits.md
@@ -166,6 +166,7 @@ The following people have helped make REST framework great.
* Alexander Akhmetov - [alexander-akhmetov]
* Andrey Antukh - [niwibe]
* Mathieu Pillard - [diox]
+* Edmond Wong - [edmondwong]
Many thanks to everyone who's contributed to the project.
@@ -368,3 +369,4 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
[alexander-akhmetov]: https://github.com/alexander-akhmetov
[niwibe]: https://github.com/niwibe
[diox]: https://github.com/diox
+[edmondwong]: https://github.com/edmondwong
--
cgit v1.2.3
From 916d8ab37da2f0c4412507710649ba0f352f29bb Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Fri, 6 Sep 2013 12:19:51 +0100
Subject: Fix typo
---
docs/api-guide/relations.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/api-guide/relations.md b/docs/api-guide/relations.md
index 15ba9a3a..5ec4b22f 100644
--- a/docs/api-guide/relations.md
+++ b/docs/api-guide/relations.md
@@ -421,7 +421,7 @@ For example, if all your object URLs used both a account and a slug in the the U
def get_object(self, queryset, view_name, view_args, view_kwargs):
account = view_kwargs['account']
slug = view_kwargs['slug']
- return queryset.get(account=account, slug=sug)
+ return queryset.get(account=account, slug=slug)
---
--
cgit v1.2.3
From 4a9dcfa76089143bbeb5cd43fa3a406365d89e96 Mon Sep 17 00:00:00 2001
From: bwreilly
Date: Fri, 6 Sep 2013 11:01:31 -0500
Subject: added guardian as optional requirement, stubbed out object-level
permission class
---
docs/index.md | 1 +
rest_framework/compat.py | 6 ++++++
rest_framework/permissions.py | 7 ++++++-
rest_framework/tests/test_permissions.py | 1 +
4 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/docs/index.md b/docs/index.md
index e0a2e911..d83fbff1 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -42,6 +42,7 @@ The following packages are optional:
* [django-filter][django-filter] (0.5.4+) - Filtering support.
* [django-oauth-plus][django-oauth-plus] (2.0+) and [oauth2][oauth2] (1.5.211+) - OAuth 1.0a support.
* [django-oauth2-provider][django-oauth2-provider] (0.2.3+) - OAuth 2.0 support.
+* [django-guardian][django-guardian] (1.1.1+) - Object level permissions support.
**Note**: The `oauth2` Python package is badly misnamed, and actually provides OAuth 1.0a support. Also note that packages required for both OAuth 1.0a, and OAuth 2.0 are not yet Python 3 compatible.
diff --git a/rest_framework/compat.py b/rest_framework/compat.py
index 6f7447ad..b9d1dae6 100644
--- a/rest_framework/compat.py
+++ b/rest_framework/compat.py
@@ -47,6 +47,12 @@ try:
except ImportError:
django_filters = None
+# guardian is optional
+try:
+ import guardian
+except ImportError:
+ guardian = None
+
# cStringIO only if it's available, otherwise StringIO
try:
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index 1036663e..6d213ba1 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -7,7 +7,7 @@ import warnings
SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']
-from rest_framework.compat import oauth2_provider_scope, oauth2_constants
+from rest_framework.compat import oauth2_provider_scope, oauth2_constants, guardian
class BasePermission(object):
@@ -151,6 +151,11 @@ class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):
authenticated_users_only = False
+class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
+ def __init__(self):
+ assert guardian, 'Using DjangoObjectLevelModelPermissions, but guardian is not installed'
+
+
class TokenHasReadWriteScope(BasePermission):
"""
The request is authenticated as a user and the token used has the right scope
diff --git a/rest_framework/tests/test_permissions.py b/rest_framework/tests/test_permissions.py
index e2cca380..d1171cce 100644
--- a/rest_framework/tests/test_permissions.py
+++ b/rest_framework/tests/test_permissions.py
@@ -4,6 +4,7 @@ from django.db import models
from django.test import TestCase
from rest_framework import generics, status, permissions, authentication, HTTP_HEADER_ENCODING
from rest_framework.test import APIRequestFactory
+from rest_framework.compat import guardian
import base64
factory = APIRequestFactory()
--
cgit v1.2.3
From b07de86ad372a185c05c1dd77ccd7bee3801996e Mon Sep 17 00:00:00 2001
From: bwreilly
Date: Fri, 6 Sep 2013 12:35:06 -0500
Subject: some properly failing tests, set up for standard permissions
---
rest_framework/permissions.py | 2 +-
rest_framework/runtests/settings.py | 11 ++++
rest_framework/tests/test_permissions.py | 109 ++++++++++++++++++-------------
tox.ini | 8 +++
4 files changed, 84 insertions(+), 46 deletions(-)
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index 6d213ba1..b67be414 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -153,7 +153,7 @@ class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):
class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
def __init__(self):
- assert guardian, 'Using DjangoObjectLevelModelPermissions, but guardian is not installed'
+ assert guardian, 'Using DjangoObjectLevelModelPermissions, but django-guardian is not installed'
class TokenHasReadWriteScope(BasePermission):
diff --git a/rest_framework/runtests/settings.py b/rest_framework/runtests/settings.py
index b3702d0b..6750376f 100644
--- a/rest_framework/runtests/settings.py
+++ b/rest_framework/runtests/settings.py
@@ -123,6 +123,17 @@ else:
'provider.oauth2',
)
+# guardian is optional
+try:
+ import guardian
+except ImportError:
+ pass
+else:
+ ANONYMOUS_USER_ID = -1
+ INSTALLED_APPS += (
+ 'guardian',
+ )
+
STATIC_URL = '/static/'
PASSWORD_HASHERS = (
diff --git a/rest_framework/tests/test_permissions.py b/rest_framework/tests/test_permissions.py
index d1171cce..dcdb4eea 100644
--- a/rest_framework/tests/test_permissions.py
+++ b/rest_framework/tests/test_permissions.py
@@ -3,17 +3,14 @@ from django.contrib.auth.models import User, Permission
from django.db import models
from django.test import TestCase
from rest_framework import generics, status, permissions, authentication, HTTP_HEADER_ENCODING
-from rest_framework.test import APIRequestFactory
from rest_framework.compat import guardian
+from rest_framework.test import APIRequestFactory
+from rest_framework.tests.models import BasicModel
+from rest_framework.settings import api_settings
import base64
factory = APIRequestFactory()
-
-class BasicModel(models.Model):
- text = models.CharField(max_length=100)
-
-
class RootView(generics.ListCreateAPIView):
model = BasicModel
authentication_classes = [authentication.BasicAuthentication]
@@ -145,45 +142,67 @@ class ModelPermissionsIntegrationTests(TestCase):
self.assertEqual(list(response.data['actions'].keys()), ['PUT'])
-class OwnerModel(models.Model):
- text = models.CharField(max_length=100)
- owner = models.ForeignKey(User)
+class BasicPermModel(BasicModel):
+ class Meta:
+ app_label = 'tests'
+ permissions = (
+ ('read_basicpermmodel', "Can view basic perm model"),
+ # add, change, delete built in to django
+ )
-class IsOwnerPermission(permissions.BasePermission):
- def has_object_permission(self, request, view, obj):
- return request.user == obj.owner
-
-
-class OwnerInstanceView(generics.RetrieveUpdateDestroyAPIView):
- model = OwnerModel
+class ObjectPermissionInstanceView(generics.RetrieveUpdateDestroyAPIView):
+ model = BasicModel
authentication_classes = [authentication.BasicAuthentication]
- permission_classes = [IsOwnerPermission]
-
-
-owner_instance_view = OwnerInstanceView.as_view()
-
-
-class ObjectPermissionsIntegrationTests(TestCase):
- """
- Integration tests for the object level permissions API.
- """
-
- def setUp(self):
- User.objects.create_user('not_owner', 'not_owner@example.com', 'password')
- user = User.objects.create_user('owner', 'owner@example.com', 'password')
-
- self.not_owner_credentials = basic_auth_header('not_owner', 'password')
- self.owner_credentials = basic_auth_header('owner', 'password')
-
- OwnerModel(text='foo', owner=user).save()
-
- def test_owner_has_delete_permissions(self):
- request = factory.delete('/1', HTTP_AUTHORIZATION=self.owner_credentials)
- response = owner_instance_view(request, pk='1')
- self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
-
- def test_non_owner_does_not_have_delete_permissions(self):
- request = factory.delete('/1', HTTP_AUTHORIZATION=self.not_owner_credentials)
- response = owner_instance_view(request, pk='1')
- self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+ permission_classes = [permissions.DjangoObjectLevelModelPermissions]
+
+
+object_permissions_view = ObjectPermissionInstanceView.as_view()
+
+if guardian:
+ class ObjectPermissionsIntegrationTests(TestCase):
+ """
+ Integration tests for the object level permissions API.
+ """
+
+ def setUp(self):
+ # create users
+ User.objects.create_user('no_permission', 'no_permission@example.com', 'password')
+ reader = User.objects.create_user('reader', 'reader@example.com', 'password')
+ writer = User.objects.create_user('writer', 'writer@example.com', 'password')
+ full_access = User.objects.create_user('full_access', 'full_access@example.com', 'password')
+
+ model = BasicPermModel.objects.create(text='foo')
+
+ # assign permissions appropriately
+ from guardian.shortcuts import assign_perm
+
+ read = "read_basicpermmodel"
+ write = "change_basicpermmodel"
+ delete = "delete_basicpermmodel"
+ app_label = 'tests.'
+ # model level permissions
+ assign_perm(app_label + delete, full_access, obj=model)
+ (assign_perm(app_label + write, user, obj=model) for user in (writer, full_access))
+ (assign_perm(app_label + read, user, obj=model) for user in (reader, writer, full_access))
+
+ # object level permissions
+ assign_perm(delete, full_access, obj=model)
+ (assign_perm(write, user, obj=model) for user in (writer, full_access))
+ (assign_perm(read, user, obj=model) for user in (reader, writer, full_access))
+
+ self.no_permission_credentials = basic_auth_header('no_permission', 'password')
+ self.reader_credentials = basic_auth_header('reader', 'password')
+ self.writer_credentials = basic_auth_header('writer', 'password')
+ self.full_access_credentials = basic_auth_header('full_access', 'password')
+
+
+ def test_has_delete_permissions(self):
+ request = factory.delete('/1', HTTP_AUTHORIZATION=self.full_access_credentials)
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+
+ def test_no_delete_permissions(self):
+ request = factory.delete('/1', HTTP_AUTHORIZATION=self.writer_credentials)
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
diff --git a/tox.ini b/tox.ini
index aa97fd35..6e3b8e0a 100644
--- a/tox.ini
+++ b/tox.ini
@@ -25,6 +25,7 @@ deps = https://www.djangoproject.com/download/1.6a1/tarball/
django-oauth-plus==2.0
oauth2==1.5.211
django-oauth2-provider==0.2.4
+ django-guardian==1.1.1
[testenv:py2.6-django1.6]
basepython = python2.6
@@ -34,6 +35,7 @@ deps = https://www.djangoproject.com/download/1.6a1/tarball/
django-oauth-plus==2.0
oauth2==1.5.211
django-oauth2-provider==0.2.4
+ django-guardian==1.1.1
[testenv:py3.3-django1.5]
basepython = python3.3
@@ -55,6 +57,7 @@ deps = django==1.5
django-oauth-plus==2.0
oauth2==1.5.211
django-oauth2-provider==0.2.3
+ django-guardian==1.1.1
[testenv:py2.6-django1.5]
basepython = python2.6
@@ -64,6 +67,7 @@ deps = django==1.5
django-oauth-plus==2.0
oauth2==1.5.211
django-oauth2-provider==0.2.3
+ django-guardian==1.1.1
[testenv:py2.7-django1.4]
basepython = python2.7
@@ -73,6 +77,7 @@ deps = django==1.4.3
django-oauth-plus==2.0
oauth2==1.5.211
django-oauth2-provider==0.2.3
+ django-guardian==1.1.1
[testenv:py2.6-django1.4]
basepython = python2.6
@@ -82,6 +87,7 @@ deps = django==1.4.3
django-oauth-plus==2.0
oauth2==1.5.211
django-oauth2-provider==0.2.3
+ django-guardian==1.1.1
[testenv:py2.7-django1.3]
basepython = python2.7
@@ -91,6 +97,7 @@ deps = django==1.3.5
django-oauth-plus==2.0
oauth2==1.5.211
django-oauth2-provider==0.2.3
+ django-guardian==1.1.1
[testenv:py2.6-django1.3]
basepython = python2.6
@@ -100,3 +107,4 @@ deps = django==1.3.5
django-oauth-plus==2.0
oauth2==1.5.211
django-oauth2-provider==0.2.3
+ django-guardian==1.1.1
--
cgit v1.2.3
From b5523bcc7ddab97620fd7b49e385b44c664ca899 Mon Sep 17 00:00:00 2001
From: Andy Freeland
Date: Fri, 6 Sep 2013 11:40:34 -0500
Subject: Support customizable view EXCEPTION_HANDLER
Add `api_settings.EXCEPTION_HANDLER` to support custom error responses.
Fixes #907.
---
docs/api-guide/settings.md | 16 ++++++++++++++-
rest_framework/settings.py | 4 ++++
rest_framework/tests/test_views.py | 41 ++++++++++++++++++++++++++++++++++++++
rest_framework/views.py | 2 +-
4 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/docs/api-guide/settings.md b/docs/api-guide/settings.md
index 542e8c5f..13f96f9a 100644
--- a/docs/api-guide/settings.md
+++ b/docs/api-guide/settings.md
@@ -25,7 +25,7 @@ If you need to access the values of REST framework's API settings in your projec
you should use the `api_settings` object. For example.
from rest_framework.settings import api_settings
-
+
print api_settings.DEFAULT_AUTHENTICATION_CLASSES
The `api_settings` object will check for any user-defined settings, and otherwise fall back to the default values. Any setting that uses string import paths to refer to a class will automatically import and return the referenced class, instead of the string literal.
@@ -339,6 +339,20 @@ Default: `'rest_framework.views.get_view_description'`
## Miscellaneous settings
+#### EXCEPTION_HANDLER
+
+A string representing the function that should be used when returning a response for any given exception. If the function returns `None`, a 500 error will be raised.
+
+This setting can be changed to support error responses other than the default `{"detail": "Failure..."}` responses. For example, you can use it to provide API responses like `{"errors": [{"message": "Failure...", "code": ""} ...]}`.
+
+This should be a function with the following signature:
+
+ exception_handler(exc)
+
+* `exc`: The exception.
+
+Default: `'rest_framework.views.exception_handler'`
+
#### FORMAT_SUFFIX_KWARG
The name of a parameter in the URL conf that may be used to provide a format suffix.
diff --git a/rest_framework/settings.py b/rest_framework/settings.py
index 8c084751..8abaf140 100644
--- a/rest_framework/settings.py
+++ b/rest_framework/settings.py
@@ -77,6 +77,9 @@ DEFAULTS = {
'VIEW_NAME_FUNCTION': 'rest_framework.views.get_view_name',
'VIEW_DESCRIPTION_FUNCTION': 'rest_framework.views.get_view_description',
+ # Exception handling
+ 'EXCEPTION_HANDLER': 'rest_framework.views.exception_handler',
+
# Testing
'TEST_REQUEST_RENDERER_CLASSES': (
'rest_framework.renderers.MultiPartRenderer',
@@ -125,6 +128,7 @@ IMPORT_STRINGS = (
'DEFAULT_MODEL_SERIALIZER_CLASS',
'DEFAULT_PAGINATION_SERIALIZER_CLASS',
'DEFAULT_FILTER_BACKENDS',
+ 'EXCEPTION_HANDLER',
'FILTER_BACKEND',
'TEST_REQUEST_RENDERER_CLASSES',
'UNAUTHENTICATED_USER',
diff --git a/rest_framework/tests/test_views.py b/rest_framework/tests/test_views.py
index c0bec5ae..65c7e50e 100644
--- a/rest_framework/tests/test_views.py
+++ b/rest_framework/tests/test_views.py
@@ -32,6 +32,16 @@ def basic_view(request):
return {'method': 'PATCH', 'data': request.DATA}
+class ErrorView(APIView):
+ def get(self, request, *args, **kwargs):
+ raise Exception
+
+
+@api_view(['GET'])
+def error_view(request):
+ raise Exception
+
+
def sanitise_json_error(error_dict):
"""
Exact contents of JSON error messages depend on the installed version
@@ -99,3 +109,34 @@ class FunctionBasedViewIntegrationTests(TestCase):
}
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertEqual(sanitise_json_error(response.data), expected)
+
+
+class TestCustomExceptionHandler(TestCase):
+ def setUp(self):
+ self.DEFAULT_HANDLER = api_settings.EXCEPTION_HANDLER
+
+ def exception_handler(exc):
+ return Response('Error!', status=status.HTTP_400_BAD_REQUEST)
+
+ api_settings.EXCEPTION_HANDLER = exception_handler
+
+ def tearDown(self):
+ api_settings.EXCEPTION_HANDLER = self.DEFAULT_HANDLER
+
+ def test_class_based_view_exception_handler(self):
+ view = ErrorView.as_view()
+
+ request = factory.get('/', content_type='application/json')
+ response = view(request)
+ expected = 'Error!'
+ self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+ self.assertEqual(response.data, expected)
+
+ def test_function_based_view_exception_handler(self):
+ view = error_view
+
+ request = factory.get('/', content_type='application/json')
+ response = view(request)
+ expected = 'Error!'
+ self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+ self.assertEqual(response.data, expected)
diff --git a/rest_framework/views.py b/rest_framework/views.py
index 4cff0422..853e6461 100644
--- a/rest_framework/views.py
+++ b/rest_framework/views.py
@@ -361,7 +361,7 @@ class APIView(View):
else:
exc.status_code = status.HTTP_403_FORBIDDEN
- response = exception_handler(exc)
+ response = self.settings.EXCEPTION_HANDLER(exc)
if response is None:
raise
--
cgit v1.2.3
From bae0ef6b5dcb0abf2be865340e5476aeab5ce137 Mon Sep 17 00:00:00 2001
From: Andy Freeland
Date: Fri, 6 Sep 2013 13:57:32 -0500
Subject: Add EXCEPTION_HANDLER docs to exception docs
---
docs/api-guide/exceptions.md | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/docs/api-guide/exceptions.md b/docs/api-guide/exceptions.md
index 8b3e50f1..fa5053df 100644
--- a/docs/api-guide/exceptions.md
+++ b/docs/api-guide/exceptions.md
@@ -30,9 +30,27 @@ Might receive an error response indicating that the `DELETE` method is not allow
HTTP/1.1 405 Method Not Allowed
Content-Type: application/json; charset=utf-8
Content-Length: 42
-
+
{"detail": "Method 'DELETE' not allowed."}
+## Custom exception handling
+
+To implement custom exception handling (e.g. to handle additional exception classes or to override the error response format), create an exception handler function with the following signature:
+
+ exception_handler(exc)
+
+* `exc`: The exception.
+
+If the function returns `None`, a 500 error will be raised.
+
+The exception handler is set globally, using the `EXCEPTION_HANDLER` setting. For example:
+
+ 'EXCEPTION_HANDLER': 'project.app.module.function'
+
+If not specified, this setting defaults to the exception handler described above:
+
+ 'EXCEPTION_HANDLER': 'rest_framework.views.exception_handler'
+
---
# API Reference
--
cgit v1.2.3
From b6c0c815aa75b3f2fe0fae3a2221e7d0e976418b Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Sat, 7 Sep 2013 20:45:43 +0100
Subject: Extra docs on custom exception handling.
---
docs/api-guide/exceptions.md | 43 ++++++++++++++++++++++++++++++++++---------
1 file changed, 34 insertions(+), 9 deletions(-)
diff --git a/docs/api-guide/exceptions.md b/docs/api-guide/exceptions.md
index fa5053df..0c48783a 100644
--- a/docs/api-guide/exceptions.md
+++ b/docs/api-guide/exceptions.md
@@ -28,28 +28,53 @@ For example, the following request:
Might receive an error response indicating that the `DELETE` method is not allowed on that resource:
HTTP/1.1 405 Method Not Allowed
- Content-Type: application/json; charset=utf-8
+ Content-Type: application/json
Content-Length: 42
{"detail": "Method 'DELETE' not allowed."}
## Custom exception handling
-To implement custom exception handling (e.g. to handle additional exception classes or to override the error response format), create an exception handler function with the following signature:
+You can implement custom exception handling by creating a handler function that converts exceptions raised in your API views into response objects. This allows you to control the style of error responses used by your API.
- exception_handler(exc)
+The function must take a single argument, which is the exception to be handled, and should either return a `Response` object, or return `None` if the exception cannot be handled. If the handler returns `None` then the exception will be re-raised and Django will return a standard HTTP 500 'server error' response.
-* `exc`: The exception.
+For example, you might want to ensure that all error responses include the HTTP status code in the body of the response, like so:
-If the function returns `None`, a 500 error will be raised.
+ HTTP/1.1 405 Method Not Allowed
+ Content-Type: application/json
+ Content-Length: 62
+
+ {"status_code": 405, "detail": "Method 'DELETE' not allowed."}
+
+In order to alter the style of the response, you could write the following custom exception handler:
+
+ from rest_framework.views import exception_handler
+
+ def custom_exception_handler(exc):
+ # Call REST framework's default exception handler first,
+ # to get the standard error response.
+ response = exception_handler(exc)
+
+ # Now add the HTTP status code to the response.
+ if response is not None:
+ response.data['status_code'] = response.status_code
+
+ return response
+
+The exception handler must also be configured in your settings, using the `EXCEPTION_HANDLER` setting key. For example:
-The exception handler is set globally, using the `EXCEPTION_HANDLER` setting. For example:
+ REST_FRAMEWORK = {
+ 'EXCEPTION_HANDLER': 'my_project.my_app.utils.custom_exception_handler'
+ }
- 'EXCEPTION_HANDLER': 'project.app.module.function'
+If not specified, the `'EXCEPTION_HANDLER'` setting defaults to the standard exception handler provided by REST framework:
-If not specified, this setting defaults to the exception handler described above:
+ REST_FRAMEWORK = {
+ 'EXCEPTION_HANDLER': 'rest_framework.views.exception_handler'
+ }
- 'EXCEPTION_HANDLER': 'rest_framework.views.exception_handler'
+Note that the exception handler will only be called for responses generated by raised exceptions. It will not be used for any responses returned directly by the view, such as the `HTTP_400_BAD_REQUEST` responses that are returned by the generic views when serializer validation fails.
---
--
cgit v1.2.3
From 57d6b5fb7c2652bb4c68edd1bcc95be736b06b31 Mon Sep 17 00:00:00 2001
From: bwreilly
Date: Sat, 7 Sep 2013 23:16:43 -0500
Subject: necessary test settings for guardian
---
rest_framework/runtests/settings.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/rest_framework/runtests/settings.py b/rest_framework/runtests/settings.py
index 6750376f..be721658 100644
--- a/rest_framework/runtests/settings.py
+++ b/rest_framework/runtests/settings.py
@@ -130,6 +130,10 @@ except ImportError:
pass
else:
ANONYMOUS_USER_ID = -1
+ AUTHENTICATION_BACKENDS = (
+ 'django.contrib.auth.backends.ModelBackend', # default
+ 'guardian.backends.ObjectPermissionBackend',
+ )
INSTALLED_APPS += (
'guardian',
)
--
cgit v1.2.3
From 118645e4806effaa35726012a983676b2c55b6dd Mon Sep 17 00:00:00 2001
From: bwreilly
Date: Sat, 7 Sep 2013 23:18:52 -0500
Subject: first pass at object level permissions and tests
---
rest_framework/permissions.py | 46 ++++++++++
rest_framework/tests/test_permissions.py | 146 +++++++++++++++++++++++--------
2 files changed, 156 insertions(+), 36 deletions(-)
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index b67be414..2d8a30e9 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -7,6 +7,7 @@ import warnings
SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']
+from django.http import Http404
from rest_framework.compat import oauth2_provider_scope, oauth2_constants, guardian
@@ -152,9 +153,54 @@ class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):
class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
+ """
+ Basic object level permissions utilizing django-guardian.
+ """
+
def __init__(self):
assert guardian, 'Using DjangoObjectLevelModelPermissions, but django-guardian is not installed'
+ action_perm_map = {
+ 'list': 'read',
+ 'retrieve': 'read',
+ 'create': 'add',
+ 'partial_update': 'change',
+ 'update': 'change',
+ 'destroy': 'delete',
+ }
+
+ def _get_names(self, view):
+ model_cls = getattr(view, 'model', None)
+ queryset = getattr(view, 'queryset', None)
+
+ if model_cls is None and queryset is not None:
+ model_cls = queryset.model
+ if not model_cls: # no model, no model based permissions
+ return None
+ model_name = model_cls._meta.module_name
+ return model_name
+
+ def has_permission(self, request, view):
+ if view.action == 'list':
+ user = request.user
+ queryset = view.get_queryset()
+ model_name = self._get_names(view)
+ view.queryset = guardian.shortcuts.get_objects_for_user(user, 'read_' + model_name, queryset) #TODO: move to filter
+ return super(DjangoObjectLevelModelPermissions, self).has_permission(request, view)
+
+ def has_object_permission(self, request, view, obj):
+ user = request.user
+ model_name = self._get_names(view)
+ action = self.action_perm_map.get(view.action)
+
+ assert action, "Tried to determine object permissions but no action specified in view"
+
+ perm = "{action}_{model_name}".format(action=action, model_name=model_name)
+ check = user.has_perm(perm, obj)
+ if not check:
+ raise Http404
+ return user.has_perm(perm, obj)
+
class TokenHasReadWriteScope(BasePermission):
"""
diff --git a/rest_framework/tests/test_permissions.py b/rest_framework/tests/test_permissions.py
index dcdb4eea..d64ab04e 100644
--- a/rest_framework/tests/test_permissions.py
+++ b/rest_framework/tests/test_permissions.py
@@ -1,12 +1,11 @@
from __future__ import unicode_literals
-from django.contrib.auth.models import User, Permission
+from django.contrib.auth.models import User, Permission, Group
from django.db import models
from django.test import TestCase
from rest_framework import generics, status, permissions, authentication, HTTP_HEADER_ENCODING
from rest_framework.compat import guardian
from rest_framework.test import APIRequestFactory
from rest_framework.tests.models import BasicModel
-from rest_framework.settings import api_settings
import base64
factory = APIRequestFactory()
@@ -142,67 +141,142 @@ class ModelPermissionsIntegrationTests(TestCase):
self.assertEqual(list(response.data['actions'].keys()), ['PUT'])
-class BasicPermModel(BasicModel):
+class BasicPermModel(models.Model):
+ text = models.CharField(max_length=100)
class Meta:
app_label = 'tests'
permissions = (
- ('read_basicpermmodel', "Can view basic perm model"),
+ ('read_basicpermmodel', 'Can view basic perm model'),
# add, change, delete built in to django
)
class ObjectPermissionInstanceView(generics.RetrieveUpdateDestroyAPIView):
- model = BasicModel
+ model = BasicPermModel
authentication_classes = [authentication.BasicAuthentication]
permission_classes = [permissions.DjangoObjectLevelModelPermissions]
-
object_permissions_view = ObjectPermissionInstanceView.as_view()
+class ObjectPermissionListView(generics.ListAPIView):
+ model = BasicPermModel
+ authentication_classes = [authentication.BasicAuthentication]
+ permission_classes = [permissions.DjangoObjectLevelModelPermissions]
+
+object_permissions_list_view = ObjectPermissionListView.as_view()
+
if guardian:
+ from guardian.shortcuts import assign_perm
+
class ObjectPermissionsIntegrationTests(TestCase):
"""
Integration tests for the object level permissions API.
"""
+ @classmethod
+ def setUpClass(cls):
+ # create users
+ create = User.objects.create_user
+ users = {
+ 'fullaccess': create('fullaccess', 'fullaccess@example.com', 'password'),
+ 'readonly': create('readonly', 'readonly@example.com', 'password'),
+ 'writeonly': create('writeonly', 'writeonly@example.com', 'password'),
+ 'deleteonly': create('deleteonly', 'deleteonly@example.com', 'password'),
+ }
+
+ # give everyone model level permissions, as we are not testing those
+ everyone = Group.objects.create(name='everyone')
+ model_name = BasicPermModel._meta.module_name
+ app_label = BasicPermModel._meta.app_label
+ f = '{0}_{1}'.format
+ perms = {
+ 'read': f('read', model_name),
+ 'change': f('change', model_name),
+ 'delete': f('delete', model_name)
+ }
+ for perm in perms.values():
+ perm = '{0}.{1}'.format(app_label, perm)
+ assign_perm(perm, everyone)
+ everyone.user_set.add(*users.values())
+
+ cls.perms = perms
+ cls.users = users
def setUp(self):
- # create users
- User.objects.create_user('no_permission', 'no_permission@example.com', 'password')
- reader = User.objects.create_user('reader', 'reader@example.com', 'password')
- writer = User.objects.create_user('writer', 'writer@example.com', 'password')
- full_access = User.objects.create_user('full_access', 'full_access@example.com', 'password')
-
- model = BasicPermModel.objects.create(text='foo')
+ perms = self.perms
+ users = self.users
- # assign permissions appropriately
- from guardian.shortcuts import assign_perm
+ # appropriate object level permissions
+ readers = Group.objects.create(name='readers')
+ writers = Group.objects.create(name='writers')
+ deleters = Group.objects.create(name='deleters')
- read = "read_basicpermmodel"
- write = "change_basicpermmodel"
- delete = "delete_basicpermmodel"
- app_label = 'tests.'
- # model level permissions
- assign_perm(app_label + delete, full_access, obj=model)
- (assign_perm(app_label + write, user, obj=model) for user in (writer, full_access))
- (assign_perm(app_label + read, user, obj=model) for user in (reader, writer, full_access))
+ model = BasicPermModel.objects.create(text='foo')
+
+ assign_perm(perms['read'], readers, model)
+ assign_perm(perms['change'], writers, model)
+ assign_perm(perms['delete'], deleters, model)
+
+ readers.user_set.add(users['fullaccess'], users['readonly'])
+ writers.user_set.add(users['fullaccess'], users['writeonly'])
+ deleters.user_set.add(users['fullaccess'], users['deleteonly'])
+
+ self.credentials = {}
+ for user in users.values():
+ self.credentials[user.username] = basic_auth_header(user.username, 'password')
+
+ # Delete
+ def test_can_delete_permissions(self):
+ request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['deleteonly'])
+ object_permissions_view.cls.action = 'destroy'
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
- # object level permissions
- assign_perm(delete, full_access, obj=model)
- (assign_perm(write, user, obj=model) for user in (writer, full_access))
- (assign_perm(read, user, obj=model) for user in (reader, writer, full_access))
+ def test_cannot_delete_permissions(self):
+ request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
+ object_permissions_view.cls.action = 'destroy'
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
- self.no_permission_credentials = basic_auth_header('no_permission', 'password')
- self.reader_credentials = basic_auth_header('reader', 'password')
- self.writer_credentials = basic_auth_header('writer', 'password')
- self.full_access_credentials = basic_auth_header('full_access', 'password')
+ # Update
+ def test_can_update_permissions(self):
+ request = factory.patch('/1', {'text': 'foobar'}, format='json',
+ HTTP_AUTHORIZATION=self.credentials['writeonly'])
+ object_permissions_view.cls.action = 'partial_update'
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
+ self.assertEqual(response.data.get('text'), 'foobar')
+ def test_cannot_update_permissions(self):
+ request = factory.patch('/1', {'text': 'foobar'}, format='json',
+ HTTP_AUTHORIZATION=self.credentials['deleteonly'])
+ object_permissions_view.cls.action = 'partial_update'
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
- def test_has_delete_permissions(self):
- request = factory.delete('/1', HTTP_AUTHORIZATION=self.full_access_credentials)
+ # Read
+ def test_can_read_permissions(self):
+ request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
+ object_permissions_view.cls.action = 'retrieve'
response = object_permissions_view(request, pk='1')
- self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
- def test_no_delete_permissions(self):
- request = factory.delete('/1', HTTP_AUTHORIZATION=self.writer_credentials)
+ def test_cannot_read_permissions(self):
+ request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['writeonly'])
+ object_permissions_view.cls.action = 'retrieve'
response = object_permissions_view(request, pk='1')
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+ # Read list
+ def test_can_read_list_permissions(self):
+ request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['readonly'])
+ object_permissions_list_view.cls.action = 'list'
+ response = object_permissions_list_view(request)
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
+ self.assertEqual(response.data[0].get('id'), 1)
+
+ def test_cannot_read_list_permissions(self):
+ request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['writeonly'])
+ object_permissions_list_view.cls.action = 'list'
+ response = object_permissions_list_view(request)
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
+ self.assertListEqual(response.data, [])
\ No newline at end of file
--
cgit v1.2.3
From 9ff0f6d3bff3c1d02d2ccaf4f1500e25cb97620d Mon Sep 17 00:00:00 2001
From: bwreilly
Date: Sat, 7 Sep 2013 23:48:03 -0500
Subject: switch to a dedicated filter for read list object permissions
---
rest_framework/filters.py | 18 +++++++++++++++++-
rest_framework/permissions.py | 13 ++++++-------
2 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/rest_framework/filters.py b/rest_framework/filters.py
index 4079e1bd..6d46ad23 100644
--- a/rest_framework/filters.py
+++ b/rest_framework/filters.py
@@ -4,7 +4,7 @@ returned by list views.
"""
from __future__ import unicode_literals
from django.db import models
-from rest_framework.compat import django_filters, six
+from rest_framework.compat import django_filters, six, guardian
from functools import reduce
import operator
@@ -23,6 +23,22 @@ class BaseFilterBackend(object):
raise NotImplementedError(".filter_queryset() must be overridden.")
+class ObjectPermissionReaderFilter(BaseFilterBackend):
+ """
+ A filter backend that limits results to those where the requesting user
+ has read object level permissions.
+ """
+ def __init__(self):
+ assert guardian, 'Using ObjectPermissionReaderFilter, but django-guardian is not installed'
+
+ def filter_queryset(self, request, queryset, view):
+ user = request.user
+ model_cls = queryset.model
+ model_name = model_cls._meta.module_name
+ permission = 'read_' + model_name
+ return guardian.shortcuts.get_objects_for_user(user, permission, queryset)
+
+
class DjangoFilterBackend(BaseFilterBackend):
"""
A filter backend that uses django-filter.
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index 2d8a30e9..0d5e0e78 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -9,6 +9,7 @@ SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']
from django.http import Http404
from rest_framework.compat import oauth2_provider_scope, oauth2_constants, guardian
+from rest_framework.filters import ObjectPermissionReaderFilter
class BasePermission(object):
@@ -169,7 +170,7 @@ class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
'destroy': 'delete',
}
- def _get_names(self, view):
+ def _get_model_name(self, view):
model_cls = getattr(view, 'model', None)
queryset = getattr(view, 'queryset', None)
@@ -182,19 +183,17 @@ class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
def has_permission(self, request, view):
if view.action == 'list':
- user = request.user
queryset = view.get_queryset()
- model_name = self._get_names(view)
- view.queryset = guardian.shortcuts.get_objects_for_user(user, 'read_' + model_name, queryset) #TODO: move to filter
+ view.queryset = ObjectPermissionReaderFilter().filter_queryset(request, queryset, view)
return super(DjangoObjectLevelModelPermissions, self).has_permission(request, view)
def has_object_permission(self, request, view, obj):
- user = request.user
- model_name = self._get_names(view)
action = self.action_perm_map.get(view.action)
-
assert action, "Tried to determine object permissions but no action specified in view"
+ user = request.user
+ model_name = self._get_model_name(view)
+
perm = "{action}_{model_name}".format(action=action, model_name=model_name)
check = user.has_perm(perm, obj)
if not check:
--
cgit v1.2.3
From 0183c69538de7b6dc4e9b0602fc364e789e0cab6 Mon Sep 17 00:00:00 2001
From: bwreilly
Date: Mon, 9 Sep 2013 08:39:09 -0700
Subject: removed unnecessary guardian req and view.action parsing
---
rest_framework/permissions.py | 52 ++++++++++++++------------------
rest_framework/tests/test_permissions.py | 11 ++-----
2 files changed, 26 insertions(+), 37 deletions(-)
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index 0d5e0e78..61a33bdd 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -8,8 +8,7 @@ import warnings
SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']
from django.http import Http404
-from rest_framework.compat import oauth2_provider_scope, oauth2_constants, guardian
-from rest_framework.filters import ObjectPermissionReaderFilter
+from rest_framework.compat import oauth2_provider_scope, oauth2_constants
class BasePermission(object):
@@ -158,47 +157,42 @@ class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
Basic object level permissions utilizing django-guardian.
"""
- def __init__(self):
- assert guardian, 'Using DjangoObjectLevelModelPermissions, but django-guardian is not installed'
-
- action_perm_map = {
- 'list': 'read',
- 'retrieve': 'read',
- 'create': 'add',
- 'partial_update': 'change',
- 'update': 'change',
- 'destroy': 'delete',
+ actions_map = {
+ 'GET': ['read_%(model_name)s'],
+ 'OPTIONS': ['read_%(model_name)s'],
+ 'HEAD': ['read_%(model_name)s'],
+ 'POST': ['add_%(model_name)s'],
+ 'PUT': ['change_%(model_name)s'],
+ 'PATCH': ['change_%(model_name)s'],
+ 'DELETE': ['delete_%(model_name)s'],
}
- def _get_model_name(self, view):
- model_cls = getattr(view, 'model', None)
- queryset = getattr(view, 'queryset', None)
-
- if model_cls is None and queryset is not None:
- model_cls = queryset.model
- if not model_cls: # no model, no model based permissions
- return None
- model_name = model_cls._meta.module_name
- return model_name
+ def get_required_object_permissions(self, method, model_cls):
+ kwargs = {
+ 'model_name': model_cls._meta.module_name
+ }
+ return [perm % kwargs for perm in self.actions_map[method]]
def has_permission(self, request, view):
- if view.action == 'list':
+ if getattr(view, 'action', None) == 'list':
queryset = view.get_queryset()
view.queryset = ObjectPermissionReaderFilter().filter_queryset(request, queryset, view)
return super(DjangoObjectLevelModelPermissions, self).has_permission(request, view)
def has_object_permission(self, request, view, obj):
- action = self.action_perm_map.get(view.action)
- assert action, "Tried to determine object permissions but no action specified in view"
+ model_cls = getattr(view, 'model', None)
+ queryset = getattr(view, 'queryset', None)
+
+ if model_cls is None and queryset is not None:
+ model_cls = queryset.model
+ perms = self.get_required_object_permissions(request.method, model_cls)
user = request.user
- model_name = self._get_model_name(view)
- perm = "{action}_{model_name}".format(action=action, model_name=model_name)
- check = user.has_perm(perm, obj)
+ check = user.has_perms(perms, obj)
if not check:
raise Http404
- return user.has_perm(perm, obj)
+ return user.has_perms(perms, obj)
class TokenHasReadWriteScope(BasePermission):
diff --git a/rest_framework/tests/test_permissions.py b/rest_framework/tests/test_permissions.py
index d64ab04e..2d866cd0 100644
--- a/rest_framework/tests/test_permissions.py
+++ b/rest_framework/tests/test_permissions.py
@@ -4,6 +4,7 @@ from django.db import models
from django.test import TestCase
from rest_framework import generics, status, permissions, authentication, HTTP_HEADER_ENCODING
from rest_framework.compat import guardian
+from rest_framework.filters import ObjectPermissionReaderFilter
from rest_framework.test import APIRequestFactory
from rest_framework.tests.models import BasicModel
import base64
@@ -227,13 +228,11 @@ if guardian:
# Delete
def test_can_delete_permissions(self):
request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['deleteonly'])
- object_permissions_view.cls.action = 'destroy'
response = object_permissions_view(request, pk='1')
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
def test_cannot_delete_permissions(self):
request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
- object_permissions_view.cls.action = 'destroy'
response = object_permissions_view(request, pk='1')
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
@@ -241,7 +240,6 @@ if guardian:
def test_can_update_permissions(self):
request = factory.patch('/1', {'text': 'foobar'}, format='json',
HTTP_AUTHORIZATION=self.credentials['writeonly'])
- object_permissions_view.cls.action = 'partial_update'
response = object_permissions_view(request, pk='1')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data.get('text'), 'foobar')
@@ -249,34 +247,31 @@ if guardian:
def test_cannot_update_permissions(self):
request = factory.patch('/1', {'text': 'foobar'}, format='json',
HTTP_AUTHORIZATION=self.credentials['deleteonly'])
- object_permissions_view.cls.action = 'partial_update'
response = object_permissions_view(request, pk='1')
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
# Read
def test_can_read_permissions(self):
request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
- object_permissions_view.cls.action = 'retrieve'
response = object_permissions_view(request, pk='1')
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_cannot_read_permissions(self):
request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['writeonly'])
- object_permissions_view.cls.action = 'retrieve'
response = object_permissions_view(request, pk='1')
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
# Read list
def test_can_read_list_permissions(self):
request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['readonly'])
- object_permissions_list_view.cls.action = 'list'
+ object_permissions_list_view.cls.filter_backends = (ObjectPermissionReaderFilter,)
response = object_permissions_list_view(request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data[0].get('id'), 1)
def test_cannot_read_list_permissions(self):
request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['writeonly'])
- object_permissions_list_view.cls.action = 'list'
+ object_permissions_list_view.cls.filter_backends = (ObjectPermissionReaderFilter,)
response = object_permissions_list_view(request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertListEqual(response.data, [])
\ No newline at end of file
--
cgit v1.2.3
From 23fc9dd53fcd9cc25e2c77e5ffae395f04d4990d Mon Sep 17 00:00:00 2001
From: bwreilly
Date: Mon, 9 Sep 2013 09:32:29 -0700
Subject: better doc for object permissions, drop redundant has_permission call
---
rest_framework/permissions.py | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index 61a33bdd..70bf9c61 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -154,7 +154,14 @@ class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):
class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
"""
- Basic object level permissions utilizing django-guardian.
+ The request is authenticated using `django.contrib.auth` permissions.
+ See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions
+
+ It ensures that the user is authenticated, and has the appropriate
+ `add`/`change`/`delete` permissions on the object using .has_perms.
+
+ This permission can only be applied against view classes that
+ provide a `.model` or `.queryset` attribute.
"""
actions_map = {
@@ -173,12 +180,6 @@ class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
}
return [perm % kwargs for perm in self.actions_map[method]]
- def has_permission(self, request, view):
- if getattr(view, 'action', None) == 'list':
- queryset = view.get_queryset()
- view.queryset = ObjectPermissionReaderFilter().filter_queryset(request, queryset, view)
- return super(DjangoObjectLevelModelPermissions, self).has_permission(request, view)
-
def has_object_permission(self, request, view, obj):
model_cls = getattr(view, 'model', None)
queryset = getattr(view, 'queryset', None)
--
cgit v1.2.3
From f5c34926d6a4b4b29fb083d25b99b10d7431eee4 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Mon, 9 Sep 2013 20:41:54 +0100
Subject: Update release-notes.md
---
docs/topics/release-notes.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 708aef38..1f363310 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -42,6 +42,7 @@ You can determine your currently installed version using `pip freeze`:
### Master
+* Support customizable exception handling, using the `EXCEPTION_HANDLER` setting.
* Support customizable view name and description functions, using the `VIEW_NAME_FUNCTION` and `VIEW_DESCRIPTION_FUNCTION` settings.
* Added `MAX_PAGINATE_BY` setting and `max_paginate_by` generic view attribute.
* Added `cache` attribute to throttles to allow overriding of default cache.
--
cgit v1.2.3
From 222c1d1122b13940fa6072a1dfb89b25491ee6fb Mon Sep 17 00:00:00 2001
From: Michał Ociepka
Date: Tue, 10 Sep 2013 12:02:14 +0200
Subject: Add order_by to the AutoFilterSet
`AutoFilterSet` should contains `order_by` set to all by default.---
rest_framework/filters.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/rest_framework/filters.py b/rest_framework/filters.py
index 4079e1bd..1e58d173 100644
--- a/rest_framework/filters.py
+++ b/rest_framework/filters.py
@@ -53,6 +53,7 @@ class DjangoFilterBackend(BaseFilterBackend):
class Meta:
model = queryset.model
fields = filter_fields
+ order_by = True
return AutoFilterSet
return None
--
cgit v1.2.3
From 5970baa20112921217ae4f2c2a9f175df25922db Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Tue, 10 Sep 2013 21:00:13 +0100
Subject: Tweaks and docs to object-level model permissions.
---
docs/api-guide/filtering.md | 46 ++++++
docs/api-guide/permissions.md | 18 ++-
rest_framework/filters.py | 37 +++--
rest_framework/permissions.py | 47 ++++--
rest_framework/tests/test_permissions.py | 249 +++++++++++++++++--------------
5 files changed, 251 insertions(+), 146 deletions(-)
diff --git a/docs/api-guide/filtering.md b/docs/api-guide/filtering.md
index 649462da..859e8d52 100644
--- a/docs/api-guide/filtering.md
+++ b/docs/api-guide/filtering.md
@@ -257,6 +257,49 @@ The `ordering` attribute may be either a string or a list/tuple of strings.
---
+## DjangoObjectPermissionsFilter
+
+The `DjangoObjectPermissionsFilter` is intended to be used together with the [`django-guardian`][guardian] package, with custom `'view'` permissions added. The filter will ensure that querysets only returns objects for which the user has the appropriate view permission.
+
+This filter class must be used with views that provide either a `queryset` or a `model` attribute.
+
+If you're using `DjangoObjectPermissionsFilter`, you'll probably also want to add an appropriate object permissions class, to ensure that users can only operate on instances if they have the appropriate object permissions. The easiest way to do this is to subclass `DjangoObjectPermissions` and add `'view'` permissions to the `perms_map` attribute.
+
+A complete example using both `DjangoObjectPermissionsFilter` and `DjangoObjectPermissions` might look something like this.
+
+**permissions.py**:
+
+ class CustomObjectPermissions(permissions.DjangoObjectPermissions):
+ """
+ Similar to `DjangoObjectPermissions`, but adding 'view' permissions.
+ """
+ perms_map = {
+ 'GET': ['%(app_label)s.view_%(model_name)s'],
+ 'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
+ 'HEAD': ['%(app_label)s.view_%(model_name)s'],
+ 'POST': ['%(app_label)s.add_%(model_name)s'],
+ 'PUT': ['%(app_label)s.change_%(model_name)s'],
+ 'PATCH': ['%(app_label)s.change_%(model_name)s'],
+ 'DELETE': ['%(app_label)s.delete_%(model_name)s'],
+ }
+
+**views.py**:
+
+ class EventViewSet(viewsets.ModelViewSet):
+ """
+ Viewset that only lists events if user has 'view' permissions, and only
+ allows operations on individual events if user has appropriate 'view', 'add',
+ 'change' or 'delete' permissions.
+ """
+ queryset = Event.objects.all()
+ serializer = EventSerializer
+ filter_backends = (filters.DjangoObjectPermissionsFilter,)
+ permission_classes = (myapp.permissions.CustomObjectPermissions,)
+
+For more information on adding `'view'` permissions for models, see the [relevant section][view-permissions] of the `django-guardian` documentation, and [this blogpost][view-permissions-blogpost].
+
+---
+
# Custom generic filtering
You can also provide your own generic filtering backend, or write an installable app for other developers to use.
@@ -281,5 +324,8 @@ We could achieve the same behavior by overriding `get_queryset()` on the views,
[cite]: https://docs.djangoproject.com/en/dev/topics/db/queries/#retrieving-specific-objects-with-filters
[django-filter]: https://github.com/alex/django-filter
[django-filter-docs]: https://django-filter.readthedocs.org/en/latest/index.html
+[guardian]: http://pythonhosted.org/django-guardian/
+[view-permissions]: http://pythonhosted.org/django-guardian/userguide/assign.html
+[view-permissions-blogpost]: http://blog.nyaruka.com/adding-a-view-permission-to-django-models
[nullbooleanselect]: https://github.com/django/django/blob/master/django/forms/widgets.py
[search-django-admin]: https://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.ModelAdmin.search_fields
diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md
index a7bf1555..871de84e 100644
--- a/docs/api-guide/permissions.md
+++ b/docs/api-guide/permissions.md
@@ -120,7 +120,21 @@ To use custom model permissions, override `DjangoModelPermissions` and set the `
## DjangoModelPermissionsOrAnonReadOnly
-Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have read-only access to the API.
+Similar to `DjangoModelPermissions`, but also allows unauthenticated users to have read-only access to the API.
+
+## DjangoObjectPermissions
+
+This permission class ties into Django's standard [object permissions framework][objectpermissions] that allows per-object permissions on models. In order to use this permission class, you'll also need to add a permission backend that supports object-level permissions, such as [django-guardian][guardian].
+
+When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant per-object permissions* and *relevant model permissions* assigned.
+
+* `POST` requests require the user to have the `add` permission on the model instance.
+* `PUT` and `PATCH` requests require the user to have the `change` permission on the model instance.
+* `DELETE` requests require the user to have the `delete` permission on the model instance.
+
+Note that `DjangoObjectPermissions` **does not** require the `django-guardian` package, and should support other object-level backends equally well.
+
+As with `DjangoModelPermissions` you can use custom model permissions by overriding `DjangoModelPermissions` and setting the `.perms_map` property. Refer to the source code for details. Note that if you add a custom `view` permission for `GET`, `HEAD` and `OPTIONS` requests, you'll probably also want to consider adding the `DjangoObjectPermissionsFilter` class to ensure that list endpoints only return results including objects for which the user has appropriate view permissions.
## TokenHasReadWriteScope
@@ -220,7 +234,9 @@ The [Composed Permissions][composed-permissions] package provides a simple way t
[authentication]: authentication.md
[throttling]: throttling.md
[contribauth]: https://docs.djangoproject.com/en/1.0/topics/auth/#permissions
+[objectpermissions]: https://docs.djangoproject.com/en/dev/topics/auth/customizing/#handling-object-permissions
[guardian]: https://github.com/lukaszb/django-guardian
+[get_objects_for_user]: http://pythonhosted.org/django-guardian/api/guardian.shortcuts.html#get-objects-for-user
[django-oauth-plus]: http://code.larlet.fr/django-oauth-plus
[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider
[2.2-announcement]: ../topics/2.2-announcement.md
diff --git a/rest_framework/filters.py b/rest_framework/filters.py
index 6d46ad23..1693bcd2 100644
--- a/rest_framework/filters.py
+++ b/rest_framework/filters.py
@@ -23,22 +23,6 @@ class BaseFilterBackend(object):
raise NotImplementedError(".filter_queryset() must be overridden.")
-class ObjectPermissionReaderFilter(BaseFilterBackend):
- """
- A filter backend that limits results to those where the requesting user
- has read object level permissions.
- """
- def __init__(self):
- assert guardian, 'Using ObjectPermissionReaderFilter, but django-guardian is not installed'
-
- def filter_queryset(self, request, queryset, view):
- user = request.user
- model_cls = queryset.model
- model_name = model_cls._meta.module_name
- permission = 'read_' + model_name
- return guardian.shortcuts.get_objects_for_user(user, permission, queryset)
-
-
class DjangoFilterBackend(BaseFilterBackend):
"""
A filter backend that uses django-filter.
@@ -156,3 +140,24 @@ class OrderingFilter(BaseFilterBackend):
return queryset.order_by(*ordering)
return queryset
+
+
+class DjangoObjectPermissionsFilter(BaseFilterBackend):
+ """
+ A filter backend that limits results to those where the requesting user
+ has read object level permissions.
+ """
+ def __init__(self):
+ assert guardian, 'Using DjangoObjectPermissionsFilter, but django-guardian is not installed'
+
+ perm_format = '%(app_label)s.view_%(model_name)s'
+
+ def filter_queryset(self, request, queryset, view):
+ user = request.user
+ model_cls = queryset.model
+ kwargs = {
+ 'app_label': model_cls._meta.app_label,
+ 'model_name': model_cls._meta.module_name
+ }
+ permission = self.perm_format % kwargs
+ return guardian.shortcuts.get_objects_for_user(user, permission, queryset)
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index 70bf9c61..53184798 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -152,10 +152,10 @@ class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):
authenticated_users_only = False
-class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
+class DjangoObjectPermissions(DjangoModelPermissions):
"""
- The request is authenticated using `django.contrib.auth` permissions.
- See: https://docs.djangoproject.com/en/dev/topics/auth/#permissions
+ The request is authenticated using Django's object-level permissions.
+ It requires an object-permissions-enabled backend, such as Django Guardian.
It ensures that the user is authenticated, and has the appropriate
`add`/`change`/`delete` permissions on the object using .has_perms.
@@ -164,21 +164,22 @@ class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
provide a `.model` or `.queryset` attribute.
"""
- actions_map = {
- 'GET': ['read_%(model_name)s'],
- 'OPTIONS': ['read_%(model_name)s'],
- 'HEAD': ['read_%(model_name)s'],
- 'POST': ['add_%(model_name)s'],
- 'PUT': ['change_%(model_name)s'],
- 'PATCH': ['change_%(model_name)s'],
- 'DELETE': ['delete_%(model_name)s'],
+ perms_map = {
+ 'GET': [],
+ 'OPTIONS': [],
+ 'HEAD': [],
+ 'POST': ['%(app_label)s.add_%(model_name)s'],
+ 'PUT': ['%(app_label)s.change_%(model_name)s'],
+ 'PATCH': ['%(app_label)s.change_%(model_name)s'],
+ 'DELETE': ['%(app_label)s.delete_%(model_name)s'],
}
def get_required_object_permissions(self, method, model_cls):
kwargs = {
+ 'app_label': model_cls._meta.app_label,
'model_name': model_cls._meta.module_name
}
- return [perm % kwargs for perm in self.actions_map[method]]
+ return [perm % kwargs for perm in self.perms_map[method]]
def has_object_permission(self, request, view, obj):
model_cls = getattr(view, 'model', None)
@@ -190,10 +191,24 @@ class DjangoObjectLevelModelPermissions(DjangoModelPermissions):
perms = self.get_required_object_permissions(request.method, model_cls)
user = request.user
- check = user.has_perms(perms, obj)
- if not check:
- raise Http404
- return user.has_perms(perms, obj)
+ if not user.has_perms(perms, obj):
+ # If the user does not have permissions we need to determine if
+ # they have read permissions to see 403, or not, and simply see
+ # a 404 reponse.
+
+ if request.method in ('GET', 'OPTIONS', 'HEAD'):
+ # Read permissions already checked and failed, no need
+ # to make another lookup.
+ raise Http404
+
+ read_perms = self.get_required_object_permissions('GET', model_cls)
+ if not user.has_perms(read_perms, obj):
+ raise Http404
+
+ # Has read permissions.
+ return False
+
+ return True
class TokenHasReadWriteScope(BasePermission):
diff --git a/rest_framework/tests/test_permissions.py b/rest_framework/tests/test_permissions.py
index 2d866cd0..d08124f4 100644
--- a/rest_framework/tests/test_permissions.py
+++ b/rest_framework/tests/test_permissions.py
@@ -2,9 +2,10 @@ from __future__ import unicode_literals
from django.contrib.auth.models import User, Permission, Group
from django.db import models
from django.test import TestCase
+from django.utils import unittest
from rest_framework import generics, status, permissions, authentication, HTTP_HEADER_ENCODING
from rest_framework.compat import guardian
-from rest_framework.filters import ObjectPermissionReaderFilter
+from rest_framework.filters import DjangoObjectPermissionsFilter
from rest_framework.test import APIRequestFactory
from rest_framework.tests.models import BasicModel
import base64
@@ -148,130 +149,152 @@ class BasicPermModel(models.Model):
class Meta:
app_label = 'tests'
permissions = (
- ('read_basicpermmodel', 'Can view basic perm model'),
+ ('view_basicpermmodel', 'Can view basic perm model'),
# add, change, delete built in to django
)
+# Custom object-level permission, that includes 'view' permissions
+class ViewObjectPermissions(permissions.DjangoObjectPermissions):
+ perms_map = {
+ 'GET': ['%(app_label)s.view_%(model_name)s'],
+ 'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
+ 'HEAD': ['%(app_label)s.view_%(model_name)s'],
+ 'POST': ['%(app_label)s.add_%(model_name)s'],
+ 'PUT': ['%(app_label)s.change_%(model_name)s'],
+ 'PATCH': ['%(app_label)s.change_%(model_name)s'],
+ 'DELETE': ['%(app_label)s.delete_%(model_name)s'],
+ }
+
+
class ObjectPermissionInstanceView(generics.RetrieveUpdateDestroyAPIView):
model = BasicPermModel
authentication_classes = [authentication.BasicAuthentication]
- permission_classes = [permissions.DjangoObjectLevelModelPermissions]
+ permission_classes = [ViewObjectPermissions]
object_permissions_view = ObjectPermissionInstanceView.as_view()
+
class ObjectPermissionListView(generics.ListAPIView):
model = BasicPermModel
authentication_classes = [authentication.BasicAuthentication]
- permission_classes = [permissions.DjangoObjectLevelModelPermissions]
+ permission_classes = [ViewObjectPermissions]
object_permissions_list_view = ObjectPermissionListView.as_view()
-if guardian:
- from guardian.shortcuts import assign_perm
-
- class ObjectPermissionsIntegrationTests(TestCase):
- """
- Integration tests for the object level permissions API.
- """
- @classmethod
- def setUpClass(cls):
- # create users
- create = User.objects.create_user
- users = {
- 'fullaccess': create('fullaccess', 'fullaccess@example.com', 'password'),
- 'readonly': create('readonly', 'readonly@example.com', 'password'),
- 'writeonly': create('writeonly', 'writeonly@example.com', 'password'),
- 'deleteonly': create('deleteonly', 'deleteonly@example.com', 'password'),
- }
-
- # give everyone model level permissions, as we are not testing those
- everyone = Group.objects.create(name='everyone')
- model_name = BasicPermModel._meta.module_name
- app_label = BasicPermModel._meta.app_label
- f = '{0}_{1}'.format
- perms = {
- 'read': f('read', model_name),
- 'change': f('change', model_name),
- 'delete': f('delete', model_name)
- }
- for perm in perms.values():
- perm = '{0}.{1}'.format(app_label, perm)
- assign_perm(perm, everyone)
- everyone.user_set.add(*users.values())
-
- cls.perms = perms
- cls.users = users
-
- def setUp(self):
- perms = self.perms
- users = self.users
-
- # appropriate object level permissions
- readers = Group.objects.create(name='readers')
- writers = Group.objects.create(name='writers')
- deleters = Group.objects.create(name='deleters')
-
- model = BasicPermModel.objects.create(text='foo')
-
- assign_perm(perms['read'], readers, model)
- assign_perm(perms['change'], writers, model)
- assign_perm(perms['delete'], deleters, model)
-
- readers.user_set.add(users['fullaccess'], users['readonly'])
- writers.user_set.add(users['fullaccess'], users['writeonly'])
- deleters.user_set.add(users['fullaccess'], users['deleteonly'])
-
- self.credentials = {}
- for user in users.values():
- self.credentials[user.username] = basic_auth_header(user.username, 'password')
-
- # Delete
- def test_can_delete_permissions(self):
- request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['deleteonly'])
- response = object_permissions_view(request, pk='1')
- self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
-
- def test_cannot_delete_permissions(self):
- request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
- response = object_permissions_view(request, pk='1')
- self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
-
- # Update
- def test_can_update_permissions(self):
- request = factory.patch('/1', {'text': 'foobar'}, format='json',
- HTTP_AUTHORIZATION=self.credentials['writeonly'])
- response = object_permissions_view(request, pk='1')
- self.assertEqual(response.status_code, status.HTTP_200_OK)
- self.assertEqual(response.data.get('text'), 'foobar')
-
- def test_cannot_update_permissions(self):
- request = factory.patch('/1', {'text': 'foobar'}, format='json',
- HTTP_AUTHORIZATION=self.credentials['deleteonly'])
- response = object_permissions_view(request, pk='1')
- self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
-
- # Read
- def test_can_read_permissions(self):
- request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
- response = object_permissions_view(request, pk='1')
- self.assertEqual(response.status_code, status.HTTP_200_OK)
-
- def test_cannot_read_permissions(self):
- request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['writeonly'])
- response = object_permissions_view(request, pk='1')
- self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
-
- # Read list
- def test_can_read_list_permissions(self):
- request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['readonly'])
- object_permissions_list_view.cls.filter_backends = (ObjectPermissionReaderFilter,)
- response = object_permissions_list_view(request)
- self.assertEqual(response.status_code, status.HTTP_200_OK)
- self.assertEqual(response.data[0].get('id'), 1)
-
- def test_cannot_read_list_permissions(self):
- request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['writeonly'])
- object_permissions_list_view.cls.filter_backends = (ObjectPermissionReaderFilter,)
- response = object_permissions_list_view(request)
- self.assertEqual(response.status_code, status.HTTP_200_OK)
- self.assertListEqual(response.data, [])
\ No newline at end of file
+
+@unittest.skipUnless(guardian, 'django-guardian not installed')
+class ObjectPermissionsIntegrationTests(TestCase):
+ """
+ Integration tests for the object level permissions API.
+ """
+ @classmethod
+ def setUpClass(cls):
+ from guardian.shortcuts import assign_perm
+
+ # create users
+ create = User.objects.create_user
+ users = {
+ 'fullaccess': create('fullaccess', 'fullaccess@example.com', 'password'),
+ 'readonly': create('readonly', 'readonly@example.com', 'password'),
+ 'writeonly': create('writeonly', 'writeonly@example.com', 'password'),
+ 'deleteonly': create('deleteonly', 'deleteonly@example.com', 'password'),
+ }
+
+ # give everyone model level permissions, as we are not testing those
+ everyone = Group.objects.create(name='everyone')
+ model_name = BasicPermModel._meta.module_name
+ app_label = BasicPermModel._meta.app_label
+ f = '{0}_{1}'.format
+ perms = {
+ 'view': f('view', model_name),
+ 'change': f('change', model_name),
+ 'delete': f('delete', model_name)
+ }
+ for perm in perms.values():
+ perm = '{0}.{1}'.format(app_label, perm)
+ assign_perm(perm, everyone)
+ everyone.user_set.add(*users.values())
+
+ cls.perms = perms
+ cls.users = users
+
+ def setUp(self):
+ from guardian.shortcuts import assign_perm
+ perms = self.perms
+ users = self.users
+
+ # appropriate object level permissions
+ readers = Group.objects.create(name='readers')
+ writers = Group.objects.create(name='writers')
+ deleters = Group.objects.create(name='deleters')
+
+ model = BasicPermModel.objects.create(text='foo')
+
+ assign_perm(perms['view'], readers, model)
+ assign_perm(perms['change'], writers, model)
+ assign_perm(perms['delete'], deleters, model)
+
+ readers.user_set.add(users['fullaccess'], users['readonly'])
+ writers.user_set.add(users['fullaccess'], users['writeonly'])
+ deleters.user_set.add(users['fullaccess'], users['deleteonly'])
+
+ self.credentials = {}
+ for user in users.values():
+ self.credentials[user.username] = basic_auth_header(user.username, 'password')
+
+ # Delete
+ def test_can_delete_permissions(self):
+ request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['deleteonly'])
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+
+ def test_cannot_delete_permissions(self):
+ request = factory.delete('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+ # Update
+ def test_can_update_permissions(self):
+ request = factory.patch('/1', {'text': 'foobar'}, format='json',
+ HTTP_AUTHORIZATION=self.credentials['writeonly'])
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
+ self.assertEqual(response.data.get('text'), 'foobar')
+
+ def test_cannot_update_permissions(self):
+ request = factory.patch('/1', {'text': 'foobar'}, format='json',
+ HTTP_AUTHORIZATION=self.credentials['deleteonly'])
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+ def test_cannot_update_permissions_non_existing(self):
+ request = factory.patch('/999', {'text': 'foobar'}, format='json',
+ HTTP_AUTHORIZATION=self.credentials['deleteonly'])
+ response = object_permissions_view(request, pk='999')
+ self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+ # Read
+ def test_can_read_permissions(self):
+ request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['readonly'])
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+ def test_cannot_read_permissions(self):
+ request = factory.get('/1', HTTP_AUTHORIZATION=self.credentials['writeonly'])
+ response = object_permissions_view(request, pk='1')
+ self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+ # Read list
+ def test_can_read_list_permissions(self):
+ request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['readonly'])
+ object_permissions_list_view.cls.filter_backends = (DjangoObjectPermissionsFilter,)
+ response = object_permissions_list_view(request)
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
+ self.assertEqual(response.data[0].get('id'), 1)
+
+ def test_cannot_read_list_permissions(self):
+ request = factory.get('/', HTTP_AUTHORIZATION=self.credentials['writeonly'])
+ object_permissions_list_view.cls.filter_backends = (DjangoObjectPermissionsFilter,)
+ response = object_permissions_list_view(request)
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
+ self.assertListEqual(response.data, [])
--
cgit v1.2.3
From 101da4581083d75636b24c50638e7f288d1fe240 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Tue, 10 Sep 2013 21:06:42 +0100
Subject: Updated release notes
---
docs/topics/release-notes.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 1f363310..ff3dae09 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -42,6 +42,7 @@ You can determine your currently installed version using `pip freeze`:
### Master
+* Added `DjangoObjectPermissions`, and `DjangoObjectPermissionsFilter`.
* Support customizable exception handling, using the `EXCEPTION_HANDLER` setting.
* Support customizable view name and description functions, using the `VIEW_NAME_FUNCTION` and `VIEW_DESCRIPTION_FUNCTION` settings.
* Added `MAX_PAGINATE_BY` setting and `max_paginate_by` generic view attribute.
--
cgit v1.2.3
From a1d7ed20d256730492659f6ba6193faf1f12a581 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Tue, 10 Sep 2013 21:06:53 +0100
Subject: Add Django Guardian to travis testing
---
.travis.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.travis.yml b/.travis.yml
index 6a453241..d12479e9 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -18,6 +18,7 @@ install:
- "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install oauth2==1.5.211 --use-mirrors; fi"
- "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-oauth-plus==2.0 --use-mirrors; fi"
- "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-oauth2-provider==0.2.4 --use-mirrors; fi"
+ - "if [[ ${TRAVIS_PYTHON_VERSION::1} != '3' ]]; then pip install django-guardian==1.1.1 --use-mirrors; fi"
- "if [[ ${DJANGO::11} == 'django==1.3' ]]; then pip install django-filter==0.5.4 --use-mirrors; fi"
- "if [[ ${DJANGO::11} != 'django==1.3' ]]; then pip install django-filter==0.6 --use-mirrors; fi"
- export PYTHONPATH=.
--
cgit v1.2.3
From e021472a1667c4902000bb40e0c19f64160b1584 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Tue, 10 Sep 2013 21:07:20 +0100
Subject: Added @bwreilly for awesome work on #1093. Thanks!!!
---
docs/topics/credits.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docs/topics/credits.md b/docs/topics/credits.md
index 07e2ec47..8269580e 100644
--- a/docs/topics/credits.md
+++ b/docs/topics/credits.md
@@ -167,6 +167,7 @@ The following people have helped make REST framework great.
* Andrey Antukh - [niwibe]
* Mathieu Pillard - [diox]
* Edmond Wong - [edmondwong]
+* Ben Reilly - [bwreilly]
Many thanks to everyone who's contributed to the project.
@@ -370,3 +371,4 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
[niwibe]: https://github.com/niwibe
[diox]: https://github.com/diox
[edmondwong]: https://github.com/edmondwong
+[bwreilly]: https://github.com/bwreilly
--
cgit v1.2.3
From 195790e60b117eff421eb8f04a9f9f3527e797b8 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Wed, 11 Sep 2013 09:09:30 +0100
Subject: Version 2.3.8
---
docs/topics/release-notes.md | 4 +++-
rest_framework/__init__.py | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index ff3dae09..3b35d9ed 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,7 +40,9 @@ You can determine your currently installed version using `pip freeze`:
## 2.3.x series
-### Master
+### 2.3.8
+
+**Date**: 11th September 2013
* Added `DjangoObjectPermissions`, and `DjangoObjectPermissionsFilter`.
* Support customizable exception handling, using the `EXCEPTION_HANDLER` setting.
diff --git a/rest_framework/__init__.py b/rest_framework/__init__.py
index 087808e0..2bd2991b 100644
--- a/rest_framework/__init__.py
+++ b/rest_framework/__init__.py
@@ -1,4 +1,4 @@
-__version__ = '2.3.7'
+__version__ = '2.3.8'
VERSION = __version__ # synonym
--
cgit v1.2.3
From 2a6a2013df4fcb8e09425e9fa758b91b3a23b751 Mon Sep 17 00:00:00 2001
From: Diego Ponciano
Date: Wed, 11 Sep 2013 17:25:57 -0300
Subject: small typo correction on ViewSet example code
---
docs/api-guide/viewsets.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/api-guide/viewsets.md b/docs/api-guide/viewsets.md
index 2e65b7a4..1062cb32 100644
--- a/docs/api-guide/viewsets.md
+++ b/docs/api-guide/viewsets.md
@@ -23,7 +23,7 @@ Let's define a simple viewset that can be used to list or retrieve all the users
from django.shortcuts import get_object_or_404
from myapps.serializers import UserSerializer
from rest_framework import viewsets
- from rest_framewor.responses import Response
+ from rest_framework.response import Response
class UserViewSet(viewsets.ViewSet):
"""
--
cgit v1.2.3
From dfc430cabaf76a1b3382a614cc692e4a52b09bcd Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 12 Sep 2013 20:27:23 +0100
Subject: Fix django guardian link
---
docs/index.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/index.md b/docs/index.md
index d83fbff1..bb2129f6 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -251,6 +251,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
[oauth2]: https://github.com/simplegeo/python-oauth2
[django-oauth-plus]: https://bitbucket.org/david/django-oauth-plus/wiki/Home
[django-oauth2-provider]: https://github.com/caffeinehit/django-oauth2-provider
+[django-guardian]: https://github.com/lukaszb/django-guardian
[0.4]: https://github.com/tomchristie/django-rest-framework/tree/0.4.X
[image]: img/quickstart.png
[index]: .
--
cgit v1.2.3
From 895beb89c60cea534f85b8a7749615755c4d43b5 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 12 Sep 2013 21:41:21 +0100
Subject: Note on '.model' as default only, with 'serializer_class', and
'queryset' attributes prefered. Closes #1100
---
docs/api-guide/generic-views.md | 2 +-
docs/topics/writable-nested-serializers.md | 47 ++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+), 1 deletion(-)
create mode 100644 docs/topics/writable-nested-serializers.md
diff --git a/docs/api-guide/generic-views.md b/docs/api-guide/generic-views.md
index 7185b6b6..dc0076df 100755
--- a/docs/api-guide/generic-views.md
+++ b/docs/api-guide/generic-views.md
@@ -69,7 +69,7 @@ The following attributes control the basic view behavior.
**Shortcuts**:
-* `model` - This shortcut may be used instead of setting either (or both) of the `queryset`/`serializer_class` attributes, although using the explicit style is generally preferred. If used instead of `serializer_class`, then then `DEFAULT_MODEL_SERIALIZER_CLASS` setting will determine the base serializer class.
+* `model` - This shortcut may be used instead of setting either (or both) of the `queryset`/`serializer_class` attributes, although using the explicit style is generally preferred. If used instead of `serializer_class`, then then `DEFAULT_MODEL_SERIALIZER_CLASS` setting will determine the base serializer class. Note that `model` is only ever used for generating a default queryset or serializer class - the `queryset` and `serializer_class` attributes are always preferred if provided.
**Pagination**:
diff --git a/docs/topics/writable-nested-serializers.md b/docs/topics/writable-nested-serializers.md
new file mode 100644
index 00000000..66ea7815
--- /dev/null
+++ b/docs/topics/writable-nested-serializers.md
@@ -0,0 +1,47 @@
+> To save HTTP requests, it may be convenient to send related documents along with the request.
+>
+> — [JSON API specification for Ember Data][cite].
+
+# Writable nested serializers
+
+Although flat data structures serve to properly delineate between the individual entities in your service, there are cases where it may be more appropriate or convenient to use nested data structures.
+
+Nested data structures are easy enough to work with if they're read-only - simply nest your serializer classes and you're good to go. However, there are a few more subtleties to using writable nested serializers, due to the dependancies between the various model instances, and the need to save or delete multiple instances in a single action.
+
+## One-to-many data structures
+
+*Example of a **read-only** nested serializer. Nothing complex to worry about here.*
+
+ class ToDoItemSerializer(serializers.ModelSerializer):
+ class Meta:
+ model = ToDoItem
+ fields = ('text', 'is_completed')
+
+ class ToDoListSerializer(serializers.ModelSerializer):
+ items = ToDoItemSerializer(many=True, read_only=True)
+
+ class Meta:
+ model = ToDoList
+ fields = ('title', 'items')
+
+Some example output from our serializer.
+
+ {
+ 'title': 'Leaving party preperations',
+ 'items': {
+ {'text': 'Compile playlist', 'is_completed': True},
+ {'text': 'Send invites', 'is_completed': False},
+ {'text': 'Clean house', 'is_completed': False}
+ }
+ }
+
+Let's take a look at updating our nested one-to-many data structure.
+
+### Validation errors
+
+### Adding and removing items
+
+### Making PATCH requests
+
+
+[cite]: http://jsonapi.org/format/#url-based-json-api
\ No newline at end of file
--
cgit v1.2.3
From d489c5c88144a25ef0d61fb8deb0b77f3a061480 Mon Sep 17 00:00:00 2001
From: David Pretty
Date: Fri, 13 Sep 2013 13:36:18 +1000
Subject: Let JSONEncoder handle Numpy data types.
json.JSONEncoder cannot serialize Numpy data types. Numpy arrays
and array scalars have a tolist() method which casts the object to
a standard python data type.
---
rest_framework/utils/encoders.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rest_framework/utils/encoders.py b/rest_framework/utils/encoders.py
index b26a2085..7efd5417 100644
--- a/rest_framework/utils/encoders.py
+++ b/rest_framework/utils/encoders.py
@@ -42,6 +42,8 @@ class JSONEncoder(json.JSONEncoder):
return str(o.total_seconds())
elif isinstance(o, decimal.Decimal):
return str(o)
+ elif hasattr(o, 'tolist'):
+ return o.tolist()
elif hasattr(o, '__iter__'):
return [i for i in o]
return super(JSONEncoder, self).default(o)
--
cgit v1.2.3
From 0de1a1a0ad0ff96292b14d707730dc47b1943c26 Mon Sep 17 00:00:00 2001
From: Rajiv Bose
Date: Fri, 13 Sep 2013 11:55:16 +0100
Subject: Typo in strings referring to Python package, django-filter.
On skip of django_filters related unit-tests the reason given states the Python package 'django-filters' is not install.
However, the Python package required to run django_filters related tests is 'django-filter'.
---
rest_framework/tests/test_filters.py | 14 +++++++-------
rest_framework/tests/test_pagination.py | 2 +-
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/rest_framework/tests/test_filters.py b/rest_framework/tests/test_filters.py
index c9d9e7ff..379db29d 100644
--- a/rest_framework/tests/test_filters.py
+++ b/rest_framework/tests/test_filters.py
@@ -113,7 +113,7 @@ class IntegrationTestFiltering(CommonFilteringTestCase):
Integration tests for filtered list views.
"""
- @unittest.skipUnless(django_filters, 'django-filters not installed')
+ @unittest.skipUnless(django_filters, 'django-filter not installed')
def test_get_filtered_fields_root_view(self):
"""
GET requests to paginated ListCreateAPIView should return paginated results.
@@ -142,7 +142,7 @@ class IntegrationTestFiltering(CommonFilteringTestCase):
expected_data = [f for f in self.data if f['date'] == search_date]
self.assertEqual(response.data, expected_data)
- @unittest.skipUnless(django_filters, 'django-filters not installed')
+ @unittest.skipUnless(django_filters, 'django-filter not installed')
def test_filter_with_queryset(self):
"""
Regression test for #814.
@@ -157,7 +157,7 @@ class IntegrationTestFiltering(CommonFilteringTestCase):
expected_data = [f for f in self.data if f['decimal'] == search_decimal]
self.assertEqual(response.data, expected_data)
- @unittest.skipUnless(django_filters, 'django-filters not installed')
+ @unittest.skipUnless(django_filters, 'django-filter not installed')
def test_filter_with_get_queryset_only(self):
"""
Regression test for #834.
@@ -168,7 +168,7 @@ class IntegrationTestFiltering(CommonFilteringTestCase):
# Used to raise "issubclass() arg 2 must be a class or tuple of classes"
# here when neither `model' nor `queryset' was specified.
- @unittest.skipUnless(django_filters, 'django-filters not installed')
+ @unittest.skipUnless(django_filters, 'django-filter not installed')
def test_get_filtered_class_root_view(self):
"""
GET requests to filtered ListCreateAPIView that have a filter_class set
@@ -216,7 +216,7 @@ class IntegrationTestFiltering(CommonFilteringTestCase):
f['decimal'] < search_decimal]
self.assertEqual(response.data, expected_data)
- @unittest.skipUnless(django_filters, 'django-filters not installed')
+ @unittest.skipUnless(django_filters, 'django-filter not installed')
def test_incorrectly_configured_filter(self):
"""
An error should be displayed when the filter class is misconfigured.
@@ -226,7 +226,7 @@ class IntegrationTestFiltering(CommonFilteringTestCase):
request = factory.get('/')
self.assertRaises(AssertionError, view, request)
- @unittest.skipUnless(django_filters, 'django-filters not installed')
+ @unittest.skipUnless(django_filters, 'django-filter not installed')
def test_unknown_filter(self):
"""
GET requests with filters that aren't configured should return 200.
@@ -248,7 +248,7 @@ class IntegrationTestDetailFiltering(CommonFilteringTestCase):
def _get_url(self, item):
return reverse('detail-view', kwargs=dict(pk=item.pk))
- @unittest.skipUnless(django_filters, 'django-filters not installed')
+ @unittest.skipUnless(django_filters, 'django-filter not installed')
def test_get_filtered_detail_view(self):
"""
GET requests to filtered RetrieveAPIView that have a filter_class set
diff --git a/rest_framework/tests/test_pagination.py b/rest_framework/tests/test_pagination.py
index 4170d4b6..d6bc7895 100644
--- a/rest_framework/tests/test_pagination.py
+++ b/rest_framework/tests/test_pagination.py
@@ -122,7 +122,7 @@ class IntegrationTestPaginationAndFiltering(TestCase):
for obj in self.objects.all()
]
- @unittest.skipUnless(django_filters, 'django-filters not installed')
+ @unittest.skipUnless(django_filters, 'django-filter not installed')
def test_get_django_filter_paginated_filtered_root_view(self):
"""
GET requests to paginated filtered ListCreateAPIView should return
--
cgit v1.2.3
From bb3261ca489104e3dea434aa11d76f370e938ca8 Mon Sep 17 00:00:00 2001
From: Tai Lee
Date: Fri, 13 Sep 2013 22:51:11 +1000
Subject: Fixed #1105 -- Add hook for custom context in `BrowsableAPIRenderer`.
Replace hard coded response status check with `allow_form` context
variable, so that it can be overridden in a custom renderer class.
---
rest_framework/renderers.py | 47 +++++++++++------------
rest_framework/templates/rest_framework/base.html | 2 +-
2 files changed, 23 insertions(+), 26 deletions(-)
diff --git a/rest_framework/renderers.py b/rest_framework/renderers.py
index fca67eee..6597123f 100644
--- a/rest_framework/renderers.py
+++ b/rest_framework/renderers.py
@@ -564,9 +564,9 @@ class BrowsableAPIRenderer(BaseRenderer):
def get_breadcrumbs(self, request):
return get_breadcrumbs(request.path)
- def render(self, data, accepted_media_type=None, renderer_context=None):
+ def get_context(self, data, accepted_media_type, renderer_context):
"""
- Render the HTML for the browsable API representation.
+ Returns the context used to render.
"""
self.accepted_media_type = accepted_media_type or ''
self.renderer_context = renderer_context or {}
@@ -576,55 +576,52 @@ class BrowsableAPIRenderer(BaseRenderer):
response = renderer_context['response']
renderer = self.get_default_renderer(view)
- content = self.get_content(renderer, data, accepted_media_type, renderer_context)
-
- put_form = self.get_rendered_html_form(view, 'PUT', request)
- post_form = self.get_rendered_html_form(view, 'POST', request)
- patch_form = self.get_rendered_html_form(view, 'PATCH', request)
- delete_form = self.get_rendered_html_form(view, 'DELETE', request)
- options_form = self.get_rendered_html_form(view, 'OPTIONS', request)
raw_data_put_form = self.get_raw_data_form(view, 'PUT', request)
- raw_data_post_form = self.get_raw_data_form(view, 'POST', request)
raw_data_patch_form = self.get_raw_data_form(view, 'PATCH', request)
raw_data_put_or_patch_form = raw_data_put_form or raw_data_patch_form
- name = self.get_name(view)
- description = self.get_description(view)
- breadcrumb_list = self.get_breadcrumbs(request)
-
- template = loader.get_template(self.template)
context = RequestContext(request, {
- 'content': content,
+ 'content': self.get_content(renderer, data, accepted_media_type, renderer_context),
'view': view,
'request': request,
'response': response,
- 'description': description,
- 'name': name,
+ 'description': self.get_description(view),
+ 'name': self.get_name(view),
'version': VERSION,
- 'breadcrumblist': breadcrumb_list,
+ 'breadcrumblist': self.get_breadcrumbs(request),
'allowed_methods': view.allowed_methods,
'available_formats': [renderer.format for renderer in view.renderer_classes],
- 'put_form': put_form,
- 'post_form': post_form,
- 'patch_form': patch_form,
- 'delete_form': delete_form,
- 'options_form': options_form,
+ 'put_form': self.get_rendered_html_form(view, 'PUT', request),
+ 'post_form': self.get_rendered_html_form(view, 'POST', request),
+ 'patch_form': self.get_rendered_html_form(view, 'PATCH', request),
+ 'delete_form': self.get_rendered_html_form(view, 'DELETE', request),
+ 'options_form': self.get_rendered_html_form(view, 'OPTIONS', request),
'raw_data_put_form': raw_data_put_form,
- 'raw_data_post_form': raw_data_post_form,
+ 'raw_data_post_form': self.get_raw_data_form(view, 'POST', request),
'raw_data_patch_form': raw_data_patch_form,
'raw_data_put_or_patch_form': raw_data_put_or_patch_form,
+ 'allow_form': bool(response.status_code != 403),
+
'api_settings': api_settings
})
+ return context
+ def render(self, data, accepted_media_type=None, renderer_context=None):
+ """
+ Render the HTML for the browsable API representation.
+ """
+ template = loader.get_template(self.template)
+ context = self.get_context(data, accepted_media_type, renderer_context)
ret = template.render(context)
# Munge DELETE Response code to allow us to return content
# (Do this *after* we've rendered the template so that we include
# the normal deletion response code in the output)
+ response = renderer_context['response']
if response.status_code == status.HTTP_204_NO_CONTENT:
response.status_code = status.HTTP_200_OK
diff --git a/rest_framework/templates/rest_framework/base.html b/rest_framework/templates/rest_framework/base.html
index aa90e90c..88e58deb 100644
--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@@ -122,7 +122,7 @@
- {% if response.status_code != 403 %}
+ {% if allow_form %}
{% if post_form or raw_data_post_form %}
--
cgit v1.2.3
From a9dbd46c9470003a1dd41e66a113d50b0217a110 Mon Sep 17 00:00:00 2001
From: Tai Lee
Date: Sat, 14 Sep 2013 00:54:44 +1000
Subject: Refs #1109 -- Update docs. Integrate changes from feedback.
---
docs/topics/browsable-api.md | 3 +++
rest_framework/renderers.py | 13 +++++++------
rest_framework/templates/rest_framework/base.html | 2 +-
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/docs/topics/browsable-api.md b/docs/topics/browsable-api.md
index b2c78f3c..e32db695 100644
--- a/docs/topics/browsable-api.md
+++ b/docs/topics/browsable-api.md
@@ -115,6 +115,7 @@ The context that's available to the template:
* `name` : The name of the resource
* `post_form` : A form instance for use by the POST form (if allowed)
* `put_form` : A form instance for use by the PUT form (if allowed)
+* `display_edit_forms` : A boolean indicating whether or not POST, PUT and PATCH forms will be displayed
* `request` : The request object
* `response` : The response object
* `version` : The version of Django REST Framework
@@ -122,6 +123,8 @@ The context that's available to the template:
* `FORMAT_PARAM` : The view can accept a format override
* `METHOD_PARAM` : The view can accept a method override
+You can override the `BrowsableAPIRenderer.get_context()` method to customise the context that gets passed to the template.
+
#### Not using base.html
For more advanced customization, such as not having a Bootstrap basis or tighter integration with the rest of your site, you can simply choose not to have `api.html` extend `base.html`. Then the page content and capabilities are entirely up to you.
diff --git a/rest_framework/renderers.py b/rest_framework/renderers.py
index 6597123f..2ce51e97 100644
--- a/rest_framework/renderers.py
+++ b/rest_framework/renderers.py
@@ -568,9 +568,6 @@ class BrowsableAPIRenderer(BaseRenderer):
"""
Returns the context used to render.
"""
- self.accepted_media_type = accepted_media_type or ''
- self.renderer_context = renderer_context or {}
-
view = renderer_context['view']
request = renderer_context['request']
response = renderer_context['response']
@@ -581,7 +578,7 @@ class BrowsableAPIRenderer(BaseRenderer):
raw_data_patch_form = self.get_raw_data_form(view, 'PATCH', request)
raw_data_put_or_patch_form = raw_data_put_form or raw_data_patch_form
- context = RequestContext(request, {
+ context = {
'content': self.get_content(renderer, data, accepted_media_type, renderer_context),
'view': view,
'request': request,
@@ -604,18 +601,22 @@ class BrowsableAPIRenderer(BaseRenderer):
'raw_data_patch_form': raw_data_patch_form,
'raw_data_put_or_patch_form': raw_data_put_or_patch_form,
- 'allow_form': bool(response.status_code != 403),
+ 'display_edit_forms': bool(response.status_code != 403),
'api_settings': api_settings
- })
+ }
return context
def render(self, data, accepted_media_type=None, renderer_context=None):
"""
Render the HTML for the browsable API representation.
"""
+ self.accepted_media_type = accepted_media_type or ''
+ self.renderer_context = renderer_context or {}
+
template = loader.get_template(self.template)
context = self.get_context(data, accepted_media_type, renderer_context)
+ context = RequestContext(renderer_context['request'], context)
ret = template.render(context)
# Munge DELETE Response code to allow us to return content
diff --git a/rest_framework/templates/rest_framework/base.html b/rest_framework/templates/rest_framework/base.html
index 88e58deb..2776d550 100644
--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@@ -122,7 +122,7 @@
- {% if allow_form %}
+ {% if display_edit_forms %}
{% if post_form or raw_data_post_form %}
--
cgit v1.2.3
From d75ecb3d69d01849685864341c89d59e6a3121cd Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Fri, 13 Sep 2013 19:40:58 +0100
Subject: Added @mrmachine. Thanks!
For work on #1109.
---
docs/topics/credits.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docs/topics/credits.md b/docs/topics/credits.md
index 8269580e..4483f170 100644
--- a/docs/topics/credits.md
+++ b/docs/topics/credits.md
@@ -168,6 +168,7 @@ The following people have helped make REST framework great.
* Mathieu Pillard - [diox]
* Edmond Wong - [edmondwong]
* Ben Reilly - [bwreilly]
+* Tai Lee - [mrmachine]
Many thanks to everyone who's contributed to the project.
@@ -372,3 +373,4 @@ You can also contact [@_tomchristie][twitter] directly on twitter.
[diox]: https://github.com/diox
[edmondwong]: https://github.com/edmondwong
[bwreilly]: https://github.com/bwreilly
+[mrmachine]: https://github.com/mrmachine
--
cgit v1.2.3
From e8c6cd5622f62fcf2d4cf2b28b504fe5ff5228f9 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Fri, 13 Sep 2013 19:43:15 +0100
Subject: Update release notes.
---
docs/topics/release-notes.md | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 3b35d9ed..e4294ae3 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,6 +40,11 @@ You can determine your currently installed version using `pip freeze`:
## 2.3.x series
+### Master
+
+* Added JSON renderer support for numpy scalars.
+* Added `get_context` hook in `BrowsableAPIRenderer`.
+
### 2.3.8
**Date**: 11th September 2013
--
cgit v1.2.3