diff --git a/rest_framework/exceptions.py b/rest_framework/exceptions.py index 09f111102e..af1f4df1d1 100644 --- a/rest_framework/exceptions.py +++ b/rest_framework/exceptions.py @@ -106,6 +106,17 @@ class APIException(Exception): default_code = 'error' def __init__(self, detail=None, code=None): + if ( + isinstance(detail, tuple) + and isinstance(code, tuple) + and len(detail) == len(code) + ): + self.detail = [ + _get_error_details(d or self.default_detail, c or self.default_code) + for d, c in zip(detail, code) + ] + return + if detail is None: detail = self.default_detail if code is None: diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py index 7c15eca589..b5b5789711 100644 --- a/rest_framework/permissions.py +++ b/rest_framework/permissions.py @@ -58,48 +58,75 @@ def __hash__(self): return hash((self.operator_class, self.op1_class, self.op2_class)) -class AND: - def __init__(self, op1, op2): - self.op1 = op1 - self.op2 = op2 +class OperatorBase: + def __init__(self, *permissions): + self._permissions = permissions + + +class AND(OperatorBase): def has_permission(self, request, view): - return ( - self.op1.has_permission(request, view) and - self.op2.has_permission(request, view) - ) + for perm in self._permissions: + if not perm.has_permission(request, view): + self._set_message_and_code(perm) + return False + return True def has_object_permission(self, request, view, obj): - return ( - self.op1.has_object_permission(request, view, obj) and - self.op2.has_object_permission(request, view, obj) - ) + for perm in self._permissions: + if not perm.has_object_permission(request, view, obj): + self._set_message_and_code(perm) + return False + return True + def _set_message_and_code(self, perm): + self.message = getattr(perm, 'message', None) + self.code = getattr(perm, 'code', None) -class OR: - def __init__(self, op1, op2): - self.op1 = op1 - self.op2 = op2 + +class OR(OperatorBase): def has_permission(self, request, view): - return ( - self.op1.has_permission(request, view) or - self.op2.has_permission(request, view) - ) + collector = ResultCollector() + for perm in self._permissions: + if perm.has_permission(request, view): + return True + else: + collector.add_message_and_code(perm) + collector.finalize(self) + return False def has_object_permission(self, request, view, obj): - return ( - self.op1.has_permission(request, view) - and self.op1.has_object_permission(request, view, obj) - ) or ( - self.op2.has_permission(request, view) - and self.op2.has_object_permission(request, view, obj) - ) + collector = ResultCollector() + for perm in self._permissions: + if perm.has_permission(request, view) and perm.has_object_permission(request, view, obj): + return True + else: + collector.add_message_and_code(perm) + collector.finalize(self) + return False + + +class ResultCollector: + def __init__(self): + self.messages = () + self.codes = () + + def add_message_and_code(self, perm): + message = getattr(perm, 'message', None) + code = getattr(perm, 'code', None) + self.messages += (message,) + self.codes += (code,) + + def finalize(self, perm): + perm.message = self.messages + perm.code = self.codes class NOT: def __init__(self, op1): self.op1 = op1 + self.message = getattr(self.op1, 'message_inverted', None) def has_permission(self, request, view): return not self.op1.has_permission(request, view) diff --git a/tests/test_permissions.py b/tests/test_permissions.py index 39b7ed6622..a9e7272537 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -12,12 +12,18 @@ HTTP_HEADER_ENCODING, authentication, generics, permissions, serializers, status, views ) +from rest_framework.exceptions import ErrorDetail from rest_framework.routers import DefaultRouter from rest_framework.test import APIRequestFactory from tests.models import BasicModel factory = APIRequestFactory() +DEFAULT_MESSAGE = ErrorDetail('You do not have permission to perform this action.', 'permission_denied') +CUSTOM_MESSAGE_1 = ErrorDetail('Custom: You cannot access this resource', 'permission_denied_custom') +CUSTOM_MESSAGE_2 = ErrorDetail('Custom: You do not have permission to view this resource', 'permission_denied_custom') +INVERTED_MESSAGE = 'Inverted: Your account already active' + class BasicSerializer(serializers.ModelSerializer): class Meta: @@ -454,26 +460,42 @@ def has_permission(self, request, view): class BasicPermWithDetail(permissions.BasePermission): - message = 'Custom: You cannot access this resource' + message = CUSTOM_MESSAGE_1 + message_inverted = INVERTED_MESSAGE code = 'permission_denied_custom' def has_permission(self, request, view): return False +class AnotherBasicPermWithDetail(permissions.BasePermission): + message = CUSTOM_MESSAGE_2 + + def has_permission(self, request, view): + return False + + class BasicObjectPerm(permissions.BasePermission): def has_object_permission(self, request, view, obj): return False class BasicObjectPermWithDetail(permissions.BasePermission): - message = 'Custom: You cannot access this resource' + message = CUSTOM_MESSAGE_1 + message_inverted = INVERTED_MESSAGE code = 'permission_denied_custom' def has_object_permission(self, request, view, obj): return False +class AnotherBasicObjectPermWithDetail(permissions.BasePermission): + message = CUSTOM_MESSAGE_2 + + def has_object_permission(self, request, view, obj): + return False + + class PermissionInstanceView(generics.RetrieveUpdateDestroyAPIView): queryset = BasicModel.objects.all() serializer_class = BasicSerializer @@ -487,6 +509,22 @@ class DeniedViewWithDetail(PermissionInstanceView): permission_classes = (BasicPermWithDetail,) +class DeniedViewWithDetailAND1(PermissionInstanceView): + permission_classes = (BasicPermWithDetail & permissions.AllowAny,) + + +class DeniedViewWithDetailAND2(PermissionInstanceView): + permission_classes = (permissions.AllowAny & AnotherBasicPermWithDetail,) + + +class DeniedViewWithDetailAND3(PermissionInstanceView): + permission_classes = (BasicPermWithDetail & AnotherBasicPermWithDetail,) + + +class DeniedViewWithDetailNOT(PermissionInstanceView): + permission_classes = (~BasicPermWithDetail,) + + class DeniedObjectView(PermissionInstanceView): permission_classes = (BasicObjectPerm,) @@ -495,14 +533,42 @@ class DeniedObjectViewWithDetail(PermissionInstanceView): permission_classes = (BasicObjectPermWithDetail,) +class DeniedObjectViewWithDetailAND1(PermissionInstanceView): + permission_classes = (BasicObjectPermWithDetail & permissions.AllowAny,) + + +class DeniedObjectViewWithDetailAND2(PermissionInstanceView): + permission_classes = (permissions.AllowAny & AnotherBasicObjectPermWithDetail,) + + +class DeniedObjectViewWithDetailAND3(PermissionInstanceView): + permission_classes = (AnotherBasicObjectPermWithDetail & BasicObjectPermWithDetail,) + + +class DeniedObjectViewWithDetailNOT(PermissionInstanceView): + permission_classes = (~BasicObjectPermWithDetail,) + + denied_view = DeniedView.as_view() denied_view_with_detail = DeniedViewWithDetail.as_view() +denied_view_with_detail_and_1 = DeniedViewWithDetailAND1.as_view() +denied_view_with_detail_and_2 = DeniedViewWithDetailAND2.as_view() +denied_view_with_detail_and_3 = DeniedViewWithDetailAND3.as_view() + +denied_view_with_detail_not = DeniedObjectViewWithDetailNOT.as_view() + denied_object_view = DeniedObjectView.as_view() denied_object_view_with_detail = DeniedObjectViewWithDetail.as_view() +denied_object_view_with_detail_and_1 = DeniedObjectViewWithDetailAND1.as_view() +denied_object_view_with_detail_and_2 = DeniedObjectViewWithDetailAND2.as_view() +denied_object_view_with_detail_and_3 = DeniedObjectViewWithDetailAND3.as_view() + +denied_object_view_with_detail_not = DeniedObjectViewWithDetailNOT.as_view() + class CustomPermissionsTests(TestCase): def setUp(self): @@ -510,36 +576,134 @@ def setUp(self): User.objects.create_user('username', 'username@example.com', 'password') credentials = basic_auth_header('username', 'password') self.request = factory.get('/1', format='json', HTTP_AUTHORIZATION=credentials) - self.custom_message = 'Custom: You cannot access this resource' - self.custom_code = 'permission_denied_custom' def test_permission_denied(self): response = denied_view(self.request, pk=1) detail = response.data.get('detail') self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - self.assertNotEqual(detail, self.custom_message) - self.assertNotEqual(detail.code, self.custom_code) + self.assertEqual(detail, DEFAULT_MESSAGE) def test_permission_denied_with_custom_detail(self): response = denied_view_with_detail(self.request, pk=1) detail = response.data.get('detail') self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - self.assertEqual(detail, self.custom_message) - self.assertEqual(detail.code, self.custom_code) + self.assertEqual(detail, CUSTOM_MESSAGE_1) + + def test_permission_denied_with_custom_detail_and_1(self): + response = denied_view_with_detail_and_1(self.request, pk=1) + detail = response.data.get('detail') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, CUSTOM_MESSAGE_1) + + def test_permission_denied_with_custom_detail_and_2(self): + response = denied_view_with_detail_and_2(self.request, pk=1) + detail = response.data.get('detail') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, CUSTOM_MESSAGE_2) + + def test_permission_denied_with_custom_detail_and_3(self): + response = denied_view_with_detail_and_3(self.request, pk=1) + detail = response.data.get('detail') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, CUSTOM_MESSAGE_1) + + def test_permission_denied_with_custom_detail_or_1(self): + view = PermissionInstanceView.as_view( + permission_classes=(BasicPerm | BasicPermWithDetail,), + ) + response = view(self.request, pk=1) + detail = response.data + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, [DEFAULT_MESSAGE, CUSTOM_MESSAGE_1]) + + def test_permission_denied_with_custom_detail_or_2(self): + view = PermissionInstanceView.as_view( + permission_classes=(BasicPermWithDetail | BasicPerm,), + ) + response = view(self.request, pk=1) + detail = response.data + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, [CUSTOM_MESSAGE_1, DEFAULT_MESSAGE]) + + def test_permission_denied_with_custom_detail_or_3(self): + view = PermissionInstanceView.as_view( + permission_classes=(BasicPermWithDetail | AnotherBasicPermWithDetail,), + ) + response = view(self.request, pk=1) + detail = response.data + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, [CUSTOM_MESSAGE_1, CUSTOM_MESSAGE_2]) + + def test_permission_denied_with_custom_detail_not(self): + response = denied_view_with_detail_not(self.request, pk=1) + detail = response.data.get('detail') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, INVERTED_MESSAGE) def test_permission_denied_for_object(self): response = denied_object_view(self.request, pk=1) detail = response.data.get('detail') self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - self.assertNotEqual(detail, self.custom_message) - self.assertNotEqual(detail.code, self.custom_code) + self.assertEqual(detail, DEFAULT_MESSAGE) def test_permission_denied_for_object_with_custom_detail(self): response = denied_object_view_with_detail(self.request, pk=1) detail = response.data.get('detail') self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) - self.assertEqual(detail, self.custom_message) - self.assertEqual(detail.code, self.custom_code) + self.assertEqual(detail, CUSTOM_MESSAGE_1) + + def test_permission_denied_for_object_with_custom_detail_and_1(self): + response = denied_object_view_with_detail_and_1(self.request, pk=1) + detail = response.data.get('detail') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, CUSTOM_MESSAGE_1) + + def test_permission_denied_for_object_with_custom_detail_and_2(self): + response = denied_object_view_with_detail_and_2(self.request, pk=1) + detail = response.data.get('detail') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, CUSTOM_MESSAGE_2) + + def test_permission_denied_for_object_with_custom_detail_and_3(self): + response = denied_object_view_with_detail_and_3(self.request, pk=1) + detail = response.data.get('detail') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, CUSTOM_MESSAGE_2) + + def test_permission_denied_for_object_with_custom_detail_or_1(self): + view = PermissionInstanceView.as_view( + permission_classes=(BasicObjectPerm | BasicObjectPermWithDetail,), + ) + response = view(self.request, pk=1) + detail = response.data + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, [DEFAULT_MESSAGE, CUSTOM_MESSAGE_1]) + + def test_permission_denied_for_object_with_custom_detail_or_2(self): + view = PermissionInstanceView.as_view( + permission_classes=(BasicObjectPermWithDetail | BasicObjectPerm,), + ) + response = view(self.request, pk=1) + detail = response.data + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, [CUSTOM_MESSAGE_1, DEFAULT_MESSAGE]) + + def test_permission_denied_for_object_with_custom_detail_or_3(self): + view = PermissionInstanceView.as_view( + permission_classes=( + BasicObjectPermWithDetail | AnotherBasicObjectPermWithDetail, + ), + ) + response = view(self.request, pk=1) + detail = response.data + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, [CUSTOM_MESSAGE_1, CUSTOM_MESSAGE_2]) + + def test_permission_denied_for_object_with_custom_detail_not(self): + response = denied_object_view_with_detail_not(self.request, pk=1) + detail = response.data.get('detail') + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(detail, INVERTED_MESSAGE) class PermissionsCompositionTests(TestCase):