|
@@ -75,16 +75,15 @@ class TokenPermissions(DjangoObjectPermissions):
|
|
|
super().__init__()
|
|
super().__init__()
|
|
|
|
|
|
|
|
def _verify_write_permission(self, request):
|
|
def _verify_write_permission(self, request):
|
|
|
|
|
+
|
|
|
# If token authentication is in use, verify that the token allows write operations (for unsafe methods).
|
|
# If token authentication is in use, verify that the token allows write operations (for unsafe methods).
|
|
|
- if request.method in SAFE_METHODS:
|
|
|
|
|
- return True
|
|
|
|
|
- if isinstance(request.auth, Token) and request.auth.write_enabled:
|
|
|
|
|
|
|
+ if request.method in SAFE_METHODS or request.auth.write_enabled:
|
|
|
return True
|
|
return True
|
|
|
|
|
|
|
|
def has_permission(self, request, view):
|
|
def has_permission(self, request, view):
|
|
|
|
|
|
|
|
# Enforce Token write ability
|
|
# Enforce Token write ability
|
|
|
- if not self._verify_write_permission(request):
|
|
|
|
|
|
|
+ if isinstance(request.auth, Token) and not self._verify_write_permission(request):
|
|
|
return False
|
|
return False
|
|
|
|
|
|
|
|
return super().has_permission(request, view)
|
|
return super().has_permission(request, view)
|
|
@@ -92,7 +91,7 @@ class TokenPermissions(DjangoObjectPermissions):
|
|
|
def has_object_permission(self, request, view, obj):
|
|
def has_object_permission(self, request, view, obj):
|
|
|
|
|
|
|
|
# Enforce Token write ability
|
|
# Enforce Token write ability
|
|
|
- if not self._verify_write_permission(request):
|
|
|
|
|
|
|
+ if isinstance(request.auth, Token) and not self._verify_write_permission(request):
|
|
|
return False
|
|
return False
|
|
|
|
|
|
|
|
return super().has_object_permission(request, view, obj)
|
|
return super().has_object_permission(request, view, obj)
|
Jeremy Stretch