If a user does not have object permissions on an action, then any metadata associated with it should not be included in OPTION responses.
(self)
| 215 | assert list(response.data['actions']) == ['PUT'] |
| 216 | |
| 217 | def test_object_permissions(self): |
| 218 | """ |
| 219 | If a user does not have object permissions on an action, then any |
| 220 | metadata associated with it should not be included in OPTION responses. |
| 221 | """ |
| 222 | class ExampleSerializer(serializers.Serializer): |
| 223 | choice_field = serializers.ChoiceField(['red', 'green', 'blue']) |
| 224 | integer_field = serializers.IntegerField(max_value=10) |
| 225 | char_field = serializers.CharField(required=False) |
| 226 | |
| 227 | class ExampleView(views.APIView): |
| 228 | """Example view.""" |
| 229 | def post(self, request): |
| 230 | pass |
| 231 | |
| 232 | def put(self, request): |
| 233 | pass |
| 234 | |
| 235 | def get_serializer(self): |
| 236 | return ExampleSerializer() |
| 237 | |
| 238 | def get_object(self): |
| 239 | if self.request.method == 'PUT': |
| 240 | raise exceptions.PermissionDenied() |
| 241 | |
| 242 | view = ExampleView.as_view() |
| 243 | response = view(request=request) |
| 244 | assert response.status_code == status.HTTP_200_OK |
| 245 | assert list(response.data['actions'].keys()) == ['POST'] |
| 246 | |
| 247 | def test_bug_2455_clone_request(self): |
| 248 | class ExampleView(views.APIView): |