mirror of
https://gitlab.crans.org/bde/nk20
synced 2024-12-22 23:42:25 +00:00
Users can see every API page since querysets are filtered and modifications are protected
This commit is contained in:
parent
0f1f3b9560
commit
6a0dc4cb10
@ -14,8 +14,9 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
|
||||
This is a simple patch of this class that controls view access.
|
||||
"""
|
||||
|
||||
# The queryset is filtered, and permissions are more powerful than a simple check than just "can view this model"
|
||||
perms_map = {
|
||||
'GET': ['%(app_label)s.view_%(model_name)s'],
|
||||
'GET': [], # ['%(app_label)s.view_%(model_name)s'],
|
||||
'OPTIONS': [],
|
||||
'HEAD': [],
|
||||
'POST': ['%(app_label)s.add_%(model_name)s'],
|
||||
|
Loading…
Reference in New Issue
Block a user