On views.py:162, object is created without save=True, so it's saved in database before has_add_permission is called, 5 lines below.
I tried to create a PR with a fix, by first calling create_object(save=False), then self._resource.save_object(obj). But on tests/init.py:304 there's an explicit expectation that the unauthorized object have been saved.
Hi @lfagundes, good catch! It's definitely not expected that you can persist an object w/o having an "add" permission. If tests need altering to reflect this, then feel very welcome to change them.
On views.py:162, object is created without save=True, so it's saved in database before has_add_permission is called, 5 lines below.
I tried to create a PR with a fix, by first calling create_object(save=False), then self._resource.save_object(obj). But on tests/init.py:304 there's an explicit expectation that the unauthorized object have been saved.
Is this really the expected behavior?