has_add_permission() cannot prevent object creation

Open lfagundes opened this issue 5 years ago • 1 comments

On views.py:162, object is created without save=True, so it's saved in database before has_add_permission is called, 5 lines below.

I tried to create a PR with a fix, by first calling create_object(save=False), then self._resource.save_object(obj). But on tests/init.py:304 there's an explicit expectation that the unauthorized object have been saved.

Is this really the expected behavior?

Jul 23 '20 23:07 lfagundes

Hi @lfagundes, good catch! It's definitely not expected that you can persist an object w/o having an "add" permission. If tests need altering to reflect this, then feel very welcome to change them.

Aug 03 '20 12:08 wojcikstefan