1
0
mirror of https://gitlab.crans.org/bde/nk20 synced 2024-11-26 18:37:12 +00:00

Users can see every API page since querysets are filtered and modifications are protected

This commit is contained in:
Yohann D'ANELLO 2020-09-09 22:27:07 +02:00
parent 0f1f3b9560
commit 6a0dc4cb10

View File

@ -14,8 +14,9 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
This is a simple patch of this class that controls view access.
"""
# The queryset is filtered, and permissions are more powerful than a simple check than just "can view this model"
perms_map = {
'GET': ['%(app_label)s.view_%(model_name)s'],
'GET': [], # ['%(app_label)s.view_%(model_name)s'],
'OPTIONS': [],
'HEAD': [],
'POST': ['%(app_label)s.add_%(model_name)s'],