No, it's right here <https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy> in the documentation, same link I left in the gist.
[image: djf.PNG] On Friday, 28 August 2020 at 19:43:02 UTC+1 yezile...@gmail.com wrote: > What's with the bitwise operator on permission classes? Are you using a > 3rd party package or something?. > > On Fri, Aug 28, 2020, 21:17 Luis Félix <lcs....@gmail.com> wrote: > >> Hello, >> >> I think I found some undesired behaviour, but would like to make sure it >> isn't an usage problem before opening and issue and PR on Github. >> >> Consider, if you please, the following code (trimmed down to the relevant >> stuff): >> >> https://gist.github.com/lcsfelix/afc5a62ba1379f85173b58145453ff16 >> >> Now, the question: >> >> The BasePermission class implements two methods: has_permissions and >> has_object_permissions. They both simply return True. >> >> The IsAuthenticated, IsAdminUser, and IsAuthenticatedOrReadOnly classes >> extend BasePermission but only override has_permissions. >> >> When the above code receives a PATCH request, it allows any user to >> complete the operation despite *not* being an admin, because IsAdminUser >> .has_object_permissions always returns True and therefore no other rules >> are checked. >> >> Shouldn't these Permissions classes consider object level permissions? >> >> Best regards, >> Luis Félix >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django REST framework" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-rest-fram...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-rest-framework/9aacd68d-fdda-4670-9b12-849e83b4d3den%40googlegroups.com >> >> <https://groups.google.com/d/msgid/django-rest-framework/9aacd68d-fdda-4670-9b12-849e83b4d3den%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/50de5e00-c163-4d94-945c-30a9d59a7179n%40googlegroups.com.
