django-rest-framework icon indicating copy to clipboard operation
django-rest-framework copied to clipboard
verified publisher icon encode

DjangoModelPermissions does not respect Django `can_read_model` permissoin

Open paultiplady opened this issue 7 years ago • 7 comments

Checklist

  • [x] I have verified that that issue exists against the master branch of Django REST framework.
  • [x] I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
  • [x] This is not a usage question. (Those should be directed to the discussion group instead.)
  • [x] This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
  • [x] I have reduced the issue to the simplest possible case.
  • [ ] I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

Use DjangoModelPermissions on a ViewSet, and access with a user that does not have can_view_<model> permisson.

Expected behavior

The user should not be able to view the model, as they don't have the required permission.

Actual behavior

All authenticated users are granted read-only permission.

paultiplady avatar Nov 18 '18 20:11 paultiplady

Pre-Django 2.1 there wasn't a built-in "read-only" permission. The framework chooses "fail-open" instead of "fail-close" here, which isn't the default that I'd expect; however now that there is an explicit can_read_model permission, I think it's clear that the DjangoModelPermissions model should respect it.

This would be a breaking change, since any code that's depending on the default read-only behaviour would break. Is that desirable?

The fix itself is trivial.

paultiplady avatar Nov 18 '18 20:11 paultiplady

Breaking back-compat might not be desirable; if so would it be worth adding a subclass that does respect the permission? Something like this would be an option:

class DjangoModelPermissionsStrict(DjangoModelPermissions):
    perms_map = {
        'GET': ['%(app_label)s.view_%(model_name)s'],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

paultiplady avatar Nov 18 '18 20:11 paultiplady

Hi everyone, there's a patch which adds support for view permission and is backward compatible: https://github.com/encode/django-rest-framework/pull/8009.

nemesifier avatar Aug 23 '21 15:08 nemesifier

This is great, I hope this PR can be merged.

kxbin avatar Sep 03 '21 09:09 kxbin

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 24 '22 23:04 stale[bot]

Not stale?

dfrankow avatar Apr 24 '22 23:04 dfrankow

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 12 '22 05:07 stale[bot]