mirror of https://gitlab.crans.org/bde/nk20
Users can see every API page since querysets are filtered and modifications are protected
This commit is contained in:
parent
0f1f3b9560
commit
6a0dc4cb10
|
@ -14,8 +14,9 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
|
||||||
This is a simple patch of this class that controls view access.
|
This is a simple patch of this class that controls view access.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
# The queryset is filtered, and permissions are more powerful than a simple check than just "can view this model"
|
||||||
perms_map = {
|
perms_map = {
|
||||||
'GET': ['%(app_label)s.view_%(model_name)s'],
|
'GET': [], # ['%(app_label)s.view_%(model_name)s'],
|
||||||
'OPTIONS': [],
|
'OPTIONS': [],
|
||||||
'HEAD': [],
|
'HEAD': [],
|
||||||
'POST': ['%(app_label)s.add_%(model_name)s'],
|
'POST': ['%(app_label)s.add_%(model_name)s'],
|
||||||
|
|
Loading…
Reference in New Issue