Respect can_read_model in DjangoModelPermissions

paultiplady · paultiplady · commit 8bd001ded03e · 2018-11-19T08:59:43.000-08:00
Django version 2.1 introduced the `can_read_model` permission
to support read-only ModelAdmin views. Add support for this
permission to a DjangoModelPermissions subclass.

(A subclass is created in order to preserve
backwards-compatibility with versions of Django that don't
support this flag).
diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
@@ -151,7 +151,7 @@ class DjangoModelPermissions(BasePermission):
     # Override this if you need to also provide 'view' permissions,
     # or if you want to provide custom permission codes.
     perms_map = {
-        'GET': [],
+        'GET': ['%(app_label)s.view_%(model_name)s'],
         'OPTIONS': [],
         'HEAD': [],
         'POST': ['%(app_label)s.add_%(model_name)s'],
diff --git a/tests/test_permissions.py b/tests/test_permissions.py
@@ -87,9 +87,15 @@ def setUp(self):
             Permission.objects.get(codename='change_basicmodel'),
         ])
 
+        user = User.objects.create_user('readonly', 'readonly@example.com', 'password')
+        user.user_permissions.set([
+            Permission.objects.get(codename='view_basicmodel'),
+        ])
+
         self.permitted_credentials = basic_auth_header('permitted', 'password')
         self.disallowed_credentials = basic_auth_header('disallowed', 'password')
         self.updateonly_credentials = basic_auth_header('updateonly', 'password')
+        self.readonly_credentials = basic_auth_header('readonly', 'password')
 
         BasicModel(text='foo').save()
 
@@ -117,6 +123,12 @@ def test_get_queryset_has_create_permissions(self):
         response = get_queryset_list_view(request, pk=1)
         self.assertEqual(response.status_code, status.HTTP_201_CREATED)
 
+    def test_has_read_permissions(self):
+        request = factory.get('/', {'text': 'foobar'}, format='json',
+                              HTTP_AUTHORIZATION=self.permitted_credentials)
+        response = root_view(request, pk=1)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
     def test_has_put_permissions(self):
         request = factory.put('/1', {'text': 'foobar'}, format='json',
                               HTTP_AUTHORIZATION=self.permitted_credentials)
@@ -134,6 +146,12 @@ def test_does_not_have_create_permissions(self):
         response = root_view(request, pk=1)
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
+    def test_does_not_have_read_permissions(self):
+        request = factory.get('/', {'text': 'foobar'}, format='json',
+                              HTTP_AUTHORIZATION=self.disallowed_credentials)
+        response = root_view(request, pk=1)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
     def test_does_not_have_put_permissions(self):
         request = factory.put('/1', {'text': 'foobar'}, format='json',
                               HTTP_AUTHORIZATION=self.disallowed_credentials)
