Discussed in #9298
Originally posted by lpomfrey March 18, 2024
As the title states, it seems from DRF 3.15 the permissions.DjangoModelPermissionsOrAnonReadOnly doesn't actually allow anonymous read only access as it inherits the check for the view permission on the model from permissions.DjangoModelPermissions class.
It would seem to replicate the older behaviour DjangoModelPermissionsOrAnonReadOnly should set 'GET' and 'HEAD' in the perms_map to [] (along with setting authenticated_users_only = False).
I'm not sure if this is by design and the recommended solution is to compose a set of permissions like permissions.DjangoModelPermissions | ReadOnly (providing a custom ReadOnly class), but the documentation still suggests it should work as it did in 3.14 and before.
Discussed in #9298
Originally posted by lpomfrey March 18, 2024
As the title states, it seems from DRF 3.15 the
permissions.DjangoModelPermissionsOrAnonReadOnlydoesn't actually allow anonymous read only access as it inherits the check for the view permission on the model frompermissions.DjangoModelPermissionsclass.It would seem to replicate the older behaviour
DjangoModelPermissionsOrAnonReadOnlyshould set'GET'and'HEAD'in theperms_mapto[](along with settingauthenticated_users_only = False).I'm not sure if this is by design and the recommended solution is to compose a set of permissions like
permissions.DjangoModelPermissions | ReadOnly(providing a customReadOnlyclass), but the documentation still suggests it should work as it did in 3.14 and before.