From 29136ef2c6338b8dbc9f7cf9c4dd75867a6bfa9f Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Sun, 10 Feb 2013 16:50:46 +0000
Subject: Enforce PUT-as-create permissions

---
 rest_framework/mixins.py | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'rest_framework/mixins.py')

diff --git a/rest_framework/mixins.py b/rest_framework/mixins.py
index 61ac225b..ce633112 100644
--- a/rest_framework/mixins.py
+++ b/rest_framework/mixins.py
@@ -9,6 +9,7 @@ from __future__ import unicode_literals
 from django.http import Http404
 from rest_framework import status
 from rest_framework.response import Response
+from rest_framework.request import clone_request
 
 
 class CreateModelMixin(object):
@@ -90,6 +91,10 @@ class UpdateModelMixin(object):
         try:
             self.object = self.get_object()
         except Http404:
+            # If this is a PUT-as-create operation, we need to ensure that
+            # we have relevant permissions, as if this was a POST request.
+            if not self.has_permission(clone_request(request, 'POST')):
+                self.permission_denied(self.request)
             created = True
             success_status_code = status.HTTP_201_CREATED
         else:
-- 
cgit v1.2.3