From f363e6adce120615103a93c17a6cf0baa71380ca Mon Sep 17 00:00:00 2001 From: System Administrator Date: Mon, 17 Nov 2014 12:02:19 +0100 Subject: [PATCH] BUGFIX: Added authorization check for `MongoEngineListResource`. --- setup.py | 2 +- tastypie_mongoengine/resources.py | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/setup.py b/setup.py index ea2e801..c7c9137 100755 --- a/setup.py +++ b/setup.py @@ -10,7 +10,7 @@ except ImportError: pass -VERSION = '0.4.6' +VERSION = '0.4.7' if __name__ == '__main__': setup( diff --git a/tastypie_mongoengine/resources.py b/tastypie_mongoengine/resources.py index 182e187..43867d6 100644 --- a/tastypie_mongoengine/resources.py +++ b/tastypie_mongoengine/resources.py @@ -853,6 +853,9 @@ def add_index(index, obj): return ListQuerySet([(unicode(index), add_index(index, obj)) for index, obj in enumerate(getattr(self.instance, self.attribute))]) def obj_create(self, bundle, **kwargs): + + self.authorized_create_detail(self.get_object_list(bundle.request), bundle) + try: bundle.obj = self._meta.object_class() @@ -892,6 +895,9 @@ def find_embedded_document(self, objects, pk_field, pk): # TODO: Use skip_errors? def obj_update(self, bundle, skip_errors=False, **kwargs): + + self.authorized_update_detail(self.get_object_list(bundle.request), bundle) + try: if not bundle.obj or not getattr(bundle.obj, 'pk', None): try: @@ -920,6 +926,9 @@ def obj_update(self, bundle, skip_errors=False, **kwargs): raise exceptions.ValidationError(ex.message) def obj_delete(self, bundle, **kwargs): + + self.authorized_delete_detail(self.get_object_list(bundle.request), bundle) + obj = kwargs.pop('_obj', None) if not getattr(obj, 'pk', None):