openwisp · nemesifier · Jun 1, 2021 · May 22, 2021 · May 23, 2021 · May 27, 2021
diff --git a/openwisp_users/api/permissions.py b/openwisp_users/api/permissions.py
@@ -1,5 +1,7 @@
+import copy
+
 from django.utils.translation import gettext_lazy as _
-from rest_framework.permissions import BasePermission
+from rest_framework.permissions import BasePermission, DjangoModelPermissions
 from swapper import load_model
 
 Organization = load_model('openwisp_users', 'Organization')
@@ -66,3 +68,32 @@ class IsOrganizationOwner(BaseOrganizationPermission):
 
     def validate_membership(self, user, org):
         return org and (user.is_superuser or user.is_owner(org))
+
+
+class CustomDjangoModelPermissions(DjangoModelPermissions):
+    def __init__(self):
+        self.perms_map = copy.deepcopy(self.perms_map)
+        self.perms_map['GET'] = ['%(app_label)s.view_%(model_name)s']
+
+    def has_permission(self, request, view):
+        # Workaround to ensure DjangoModelPermissions are not applied
+        # to the root view when using DefaultRouter.
+        if getattr(view, '_ignore_model_permissions', False):
+            return True
+
+        if not request.user or (
+            not request.user.is_authenticated and self.authenticated_users_only
+        ):
+            return False
+
+        queryset = self._queryset(view)
+        perms = self.get_required_permissions(request.method, queryset.model)
+        change_perm = self.get_required_permissions('PUT', queryset.model)
+
+        if request.method == 'GET':
+            if request.user.has_perms(perms) or request.user.has_perms(change_perm):
+                return True
+            else:
+                return False
+
+        return request.user.has_perms(perms)
diff --git a/tests/testapp/tests/test_permission_classes.py b/tests/testapp/tests/test_permission_classes.py
@@ -1,10 +1,14 @@
+from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Permission
 from django.test import TestCase
 from django.urls import reverse
 
 from openwisp_users.api.throttling import AuthRateThrottle
 
 from .mixins import TestMultitenancyMixin
 
+User = get_user_model()
+
 
 class TestPermissionClasses(TestMultitenancyMixin, TestCase):
     def setUp(self):
@@ -117,3 +121,29 @@ def test_organization_field_with_errored_parent(self):
         with self.assertRaises(AttributeError) as error:
             self.client.get(reverse('test_error_field_view'), **auth)
         self.assertIn('Organization not found', str(error.exception))
+
+    def test_custom_django_model_permission_with_view_permission(self):
+        user = User.objects.create_user(
+            username='operator', password='tester', email='operator@test.com'
+        )
+        user_permissions = Permission.objects.filter(codename='view_template')
+        user.user_permissions.add(*user_permissions)
+        user.organizations_dict  # force caching
+        self.client.force_login(user)
+        token = self._obtain_auth_token()
+        auth = dict(HTTP_AUTHORIZATION=f'Bearer {token}')
+        response = self.client.get(reverse('test_template_list'), **auth)
+        self.assertEqual(response.status_code, 200)
+
+    def test_custom_django_model_permission_with_change_permission(self):
+        user = User.objects.create_user(
+            username='operator', password='tester', email='operator@test.com'
+        )
+        user_permissions = Permission.objects.filter(codename='change_template')
+        user.user_permissions.add(*user_permissions)
+        user.organizations_dict  # force caching
+        self.client.force_login(user)
+        token = self._obtain_auth_token()
+        auth = dict(HTTP_AUTHORIZATION=f'Bearer {token}')
+        response = self.client.get(reverse('test_template_list'), **auth)
+        self.assertEqual(response.status_code, 200)
diff --git a/tests/testapp/views.py b/tests/testapp/views.py
@@ -14,6 +14,7 @@
 )
 from openwisp_users.api.permissions import (
     BaseOrganizationPermission,
+    CustomDjangoModelPermissions,
     IsOrganizationManager,
     IsOrganizationMember,
     IsOrganizationOwner,
@@ -169,7 +170,10 @@ def get_queryset(self):
 class TemplateListCreateView(ListCreateAPIView):
     serializer_class = TemplateSerializer
     authentication_classes = (BearerAuthentication,)
-    permission_classes = (IsOrganizationMember,)
+    permission_classes = (
+        IsOrganizationMember,
+        CustomDjangoModelPermissions,
+    )
     queryset = Template.objects.all()