diff --git a/djangoldp/permissions.py b/djangoldp/permissions.py
index 44c56430d2d58358059efe31bc37374ad0a1ae88..eb18cd5abe7d42eb9fce1acbc59cb8f59ab9330c 100644
--- a/djangoldp/permissions.py
+++ b/djangoldp/permissions.py
@@ -1,8 +1,8 @@
-from rest_framework.permissions import DjangoObjectPermissions
+from rest_framework.permissions import BasePermission
from django.core.exceptions import PermissionDenied
-class LDPPermissions(DjangoObjectPermissions):
+class LDPPermissions(BasePermission):
"""
Default permissions
@@ -50,8 +50,8 @@ class LDPPermissions(DjangoObjectPermissions):
perms_map = {
'GET': ['%(app_label)s.view_%(model_name)s'],
- 'OPTIONS': [],
- 'HEAD': [],
+ 'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
+ 'HEAD': ['%(app_label)s.view_%(model_name)s'],
'POST': ['%(app_label)s.add_%(model_name)s'],
'PUT': ['%(app_label)s.change_%(model_name)s'],
'PATCH': ['%(app_label)s.change_%(model_name)s'],
@@ -80,10 +80,9 @@ class LDPPermissions(DjangoObjectPermissions):
perms = self.get_permissions(request.method, view.model)
# A bit tricky, but feels redondant to redeclarate perms_map
- requested = self.get_permissions(request.method, view.model)[0].split('.')[1].split('_')[0]
-
- if not requested in self.user_permissions(request.user, view.model):
- return False
+ for perm in perms:
+ if not perm.split('.')[1].split('_')[0] in self.user_permissions(request.user, view.model):
+ return False
return True
@@ -95,9 +94,9 @@ class LDPPermissions(DjangoObjectPermissions):
"""
perms = self.get_permissions(request.method, obj)
- if not request.user.has_perms(perms, obj):
-
- read_perms = self.get_permissions('GET', obj)
- return PermissionDenied
+ # A bit tricky, but feels redondant to redeclarate perms_map
+ for perm in perms:
+ if not perm.split('.')[1].split('_')[0] in self.user_permissions(request.user, obj):
+ return False
return True
diff --git a/djangoldp/tests/models.py b/djangoldp/tests/models.py
index c7e65f87508715a7df7fa53986fe295e00a3a268..823f2d18afcec6ff07023a93e7054064d8616277 100644
--- a/djangoldp/tests/models.py
+++ b/djangoldp/tests/models.py
@@ -34,8 +34,8 @@ class JobOffer(Model):
class Meta:
anonymous_perms = ['view']
- authenticated_perms = ['inherit', 'add']
- owner_perms = ['inherit', 'change', 'delete', 'control']
+ authenticated_perms = ['inherit', 'change', 'add']
+ owner_perms = ['inherit', 'delete', 'control']
nested_fields = ["skills"]
serializer_fields = ["@id", "title", "skills", "recent_skills"]
container_path = "job-offers/"
diff --git a/djangoldp/tests/tests_user_permissions.py b/djangoldp/tests/tests_user_permissions.py
index b85da1fda9b34c5f2fd3ea2b8c841eae6c66605c..7ab62104feea66f867a55f3b5c32c3879447d693 100644
--- a/djangoldp/tests/tests_user_permissions.py
+++ b/djangoldp/tests/tests_user_permissions.py
@@ -1,5 +1,5 @@
from django.contrib.auth.models import User
-from rest_framework.test import APIRequestFactory, APIClient, APITestCase
+from rest_framework.test import APIClient, APITestCase
from djangoldp.permissions import LDPPermissions
from .models import JobOffer
@@ -11,48 +11,27 @@ import json
class TestUserPermissions(APITestCase):
def setUp(self):
- self.factory = APIRequestFactory()
- self.client = APIClient()
- self.user = User.objects.create_user(username='john', email='jlennon@beatles.com', password='glass onion')
+ user = User.objects.create_user(username='john', email='jlennon@beatles.com', password='glass onion')
+ self.client = APIClient(enforce_csrf_checks=True)
+ self.client.force_authenticate(user=user)
self.job = JobOffer.objects.create(title="job")
- def tearDown(self):
- self.user.delete()
-
def test_get_for_authenticated_user(self):
- request = self.factory.get('/job-offers/')
- request.user = self.user
- my_view = LDPViewSet.as_view({'get': 'list'}, model=JobOffer)
- my_view.cls.permission_classes = [LDPPermissions]
-
- response = my_view(request)
+ response = self.client.get('/job-offers/')
self.assertEqual(response.status_code, 200)
def test_post_request_for_authenticated_user(self):
- data = {'title': 'new idea'}
- request = self.factory.post('/job-offers/', json.dumps(data), content_type='application/ld+json')
- request.user = self.user
- my_view = LDPViewSet.as_view({'post': 'create'}, model=JobOffer, nested_fields=["skills"])
- my_view.cls.permission_classes = [LDPPermissions]
-
- response = my_view(request, pk=1)
+ post = {'title': "job_created"}
+ response = self.client.post('/job-offers/', data=json.dumps(post), content_type='application/ld+json')
self.assertEqual(response.status_code, 201)
- # def test_put_request_for_authenticated_user(self):
- # data = {'title':"job_updated"}
- # request = self.factory.put('/job-offers/' + str(self.job.pk) + "/", data)
- # request.user = self.user
- # my_view = LDPViewSet.as_view({'put': 'update'}, model=JobOffer)
- # my_view.cls.permission_classes = [LDPPermissions]
- #
- # response = my_view(request, pk=self.job.pk)
- # self.assertEqual(response.status_code, 200)
- #
- # def test_request_patch_for_authenticated_user(self):
- # request = self.factory.patch('/job-offers/' + str(self.job.pk) + "/")
- # request.user = self.user
- # my_view = LDPViewSet.as_view({'patch': 'partial_update'}, model=JobOffer)
- # my_view.cls.permission_classes = [LDPPermissions]
- #
- # response = my_view(request, pk=self.job.pk)
- # self.assertEqual(response.status_code, 200)
+ def test_put_request_for_authenticated_user(self):
+ body = {'title':"job_updated"}
+ response = self.client.put('/job-offers/{}/'.format(self.job.pk), data=json.dumps(body),
+ content_type='application/ld+json')
+ self.assertEqual(response.status_code, 200)
+
+ def test_request_patch_for_authenticated_user(self):
+ response = self.client.patch('/job-offers/' + str(self.job.pk) + "/",
+ content_type='application/ld+json')
+ self.assertEqual(response.status_code, 200)