Closed crypto-vault closed 6 years ago
Dispatch is not checking if perm is a function making the view return always a 403 permission denied.
The following example should always grant permission but throws a 403 in detail view.
def myperm_system(user, view): return True perms = { 'create': [], 'list': [], 'delete': [], 'update': [], 'detail': [myperm_system] }
The problem is in line 166 of crud.py:
for perm in self.perms: if not request.user.has_perm(perm): return HttpResponseForbidden()
It should be:
for perm in self.perms: if not self.validate_user_perms(request.user, perm, self.view_type): return HttpResponseForbidden()
Dispatch is not checking if perm is a function making the view return always a 403 permission denied.
The following example should always grant permission but throws a 403 in detail view.
The problem is in line 166 of crud.py:
It should be: