DjangoModelPermissions does not respect Django can_read_model permissoin

[paultiplady]

Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

Use DjangoModelPermissions on a ViewSet, and access with a user that does not have can_view_<model> permisson.

Expected behavior

The user should not be able to view the model, as they don't have the required permission.

Actual behavior

All authenticated users are granted read-only permission.

[paultiplady]

Pre-Django 2.1 there wasn't a built-in "read-only" permission. The framework chooses "fail-open" instead of "fail-close" here, which isn't the default that I'd expect; however now that there is an explicit can_read_model permission, I think it's clear that the DjangoModelPermissions model should respect it.

This would be a breaking change, since any code that's depending on the default read-only behaviour would break. Is that desirable?

The fix itself is trivial.

[paultiplady]

Breaking back-compat might not be desirable; if so would it be worth adding a subclass that does respect the permission? Something like this would be an option:

class DjangoModelPermissionsStrict(DjangoModelPermissions):
    perms_map = {
        'GET': ['%(app_label)s.view_%(model_name)s'],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

[nemesifier]

Hi everyone, there's a patch which adds support for view permission and is backward compatible: #8009.

[kxbin]

This is great, I hope this PR can be merged.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[dfrankow]

Not stale?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.