search

rsinger86 / drf-access-policy

Declarative access policies/permissions modeled after AWS' IAM policies.
https://rsinger86.github.io/drf-access-policy/
MIT License
473 stars 50 forks source link

Should raise method not allowed 405 rather than permission denied 403 #23

Closed filwaline closed 4 years ago

filwaline commented 4 years ago

While a request has undefined (method, action) combination , this module will raise 403, I think response 405 is much more appropriate.

For example, I defined an extra action in viewset:

# And make this public in AP's statements
@action(detail=False, methods=['post'])
def foo(self, request):
    ...

If any one try GET /foo, he will get 403 rather 405.

After study source code, I found this happened because AccessPolicy will return False while can't find a match statement. But django-restframework already handled such case. Maybe you should let it go, and let DRF did the rest?

filwaline commented 4 years ago

Well, it seems naive to let mismatch(matched is empty) go, since current logic can't determine that why matched is empty(maybe principal not match or failed on conditions), so DRF can't catch 405 method not allowed appropriately...