From e677f3ee5c9435594ce58a3256a119c08bdc1e42 Mon Sep 17 00:00:00 2001 From: Krzysztof Jurewicz Date: Tue, 13 Aug 2013 13:26:30 +0200 Subject: PATCH requests should not be able to create objects. --- rest_framework/mixins.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'rest_framework/mixins.py') diff --git a/rest_framework/mixins.py b/rest_framework/mixins.py index f11def6d..59d64469 100644 --- a/rest_framework/mixins.py +++ b/rest_framework/mixins.py @@ -142,11 +142,14 @@ class UpdateModelMixin(object): try: return self.get_object() except Http404: - # If this is a PUT-as-create operation, we need to ensure that - # we have relevant permissions, as if this was a POST request. - # This will either raise a PermissionDenied exception, - # or simply return None - self.check_permissions(clone_request(self.request, 'POST')) + if self.request.method == 'PUT': + # For PUT-as-create operation, we need to ensure that we have + # relevant permissions, as if this was a POST request. This + # will either raise a PermissionDenied exception, or simply + # return None. + self.check_permissions(clone_request(self.request, 'POST')) + else: + raise def pre_save(self, obj): """ -- cgit v1.2.3 From e7927e9bca5bc0d0ac3b528e68244c713c5df97f Mon Sep 17 00:00:00 2001 From: Tom Christie Date: Fri, 23 Aug 2013 13:35:50 +0100 Subject: Extra docs on PATCH with no object. --- rest_framework/mixins.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'rest_framework/mixins.py') diff --git a/rest_framework/mixins.py b/rest_framework/mixins.py index 59d64469..426865ff 100644 --- a/rest_framework/mixins.py +++ b/rest_framework/mixins.py @@ -149,6 +149,8 @@ class UpdateModelMixin(object): # return None. self.check_permissions(clone_request(self.request, 'POST')) else: + # PATCH requests where the object does not exist should still + # return a 404 response. raise def pre_save(self, obj): -- cgit v1.2.3