check permission with PermissionBackend.

taking connection permission mask into account.
This commit is contained in:
Pierre-antoine Comby 2020-03-24 20:16:56 +01:00
parent 33139bdbde
commit d4b8d35206
2 changed files with 3 additions and 2 deletions

View File

@ -89,6 +89,7 @@ class PermissionBackend(ModelBackend):
query = query | perm.query query = query | perm.query
return query return query
@staticmethod
def has_perm(self, user_obj, perm, obj=None): def has_perm(self, user_obj, perm, obj=None):
if user_obj is None or isinstance(user_obj, AnonymousUser): if user_obj is None or isinstance(user_obj, AnonymousUser):
return False return False

View File

@ -41,8 +41,8 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
user = request.user user = request.user
perms = self.get_required_object_permissions(request.method, model_cls) perms = self.get_required_object_permissions(request.method, model_cls)
# if not user.has_perms(perms, obj):
if not user.has_perms(perms, obj): if not all(PermissionBackend.has_perm(user, perm, obj) for perm in perms):
# If the user does not have permissions we need to determine if # If the user does not have permissions we need to determine if
# they have read permissions to see 403, or not, and simply see # they have read permissions to see 403, or not, and simply see
# a 404 response. # a 404 response.