fix(permissions): make sure to first check the base permissions

Currently we first check the generic permissions and the the views
actual base permission. This doesn't make sense as we should first check
e.g. whether a user is even authenticated before checking more specific
permissions.

Author: anehx

generic_permissions/permissions.py

@@ -23,9 +23,9 @@ def check_permissions(self, request):
         """
         Overwrite default implementation to check DGAP permissions.
         """
+        super().check_permissions(request)
         if request.method != "GET":
             self._check_permissions(request)
-        super().check_permissions(request)
 
     def _check_object_permissions(self, request, instance):
         """
@@ -43,9 +43,9 @@ def check_object_permissions(self, request, instance):
         """
         Overwrite default implementation to check DGAP object permissions.
         """
+        super().check_object_permissions(request, instance)
         if request.method != "GET":
             self._check_object_permissions(request, instance)
-        super().check_object_permissions(request, instance)
 
 
 class BasePermission:

tests/test_permissions.py

@@ -1,6 +1,7 @@
 import pytest
 from django.core.exceptions import ImproperlyConfigured, PermissionDenied
 from django.urls import reverse
+from rest_framework.exceptions import PermissionDenied as DRFPermissionDenied
 from rest_framework.status import (
     HTTP_200_OK,
     HTTP_201_CREATED,
@@ -14,7 +15,7 @@
     object_permission_for,
     permission_for,
 )
-from tests.views import Test1ViewSet, Test2ViewSet
+from tests.views import Test1ViewSet, Test2ViewSet, TestBaseViewSet
 
 from .models import Model1, Model2
 
@@ -215,3 +216,21 @@ def has_object_permission_for_both_mutations(self, request, instance):
         Test1ViewSet(request=request, format_kwarg="json").check_object_permissions(
             request, tm1
         )
+
+
+def test_base_permission(db, rf):
+    ObjectPermissionsConfig.register_handler_class(DenyAll)
+    PermissionsConfig.register_handler_class(DenyAll)
+
+    request = rf.patch("")
+    request.authenticators = None
+    request.data = {"text": "foo"}
+
+    # Make sure that the permission error is from DRF, not from the generic permissions
+    with pytest.raises(DRFPermissionDenied):
+        TestBaseViewSet(request=request, format_kwarg="json").check_permissions(request)
+
+    with pytest.raises(DRFPermissionDenied):
+        TestBaseViewSet(request=request, format_kwarg="json").check_object_permissions(
+            request, Model1.objects.create()
+        )

tests/views.py

@@ -1,3 +1,4 @@
+from rest_framework.permissions import BasePermission
 from rest_framework.viewsets import ModelViewSet
 
 from generic_permissions.permissions import PermissionViewMixin
@@ -6,6 +7,14 @@
 from . import models, serializers
 
 
+class BaseDenyAll(BasePermission):
+    def has_permission(self, request, view):
+        return False
+
+    def has_object_permission(self, request, view, obj):
+        return False
+
+
 class Test1ViewSet(PermissionViewMixin, VisibilityViewMixin, ModelViewSet):
     serializer_class = serializers.TestModel1Serializer
     queryset = models.Model1.objects.all()
@@ -14,3 +23,9 @@ class Test1ViewSet(PermissionViewMixin, VisibilityViewMixin, ModelViewSet):
 class Test2ViewSet(PermissionViewMixin, VisibilityViewMixin, ModelViewSet):
     serializer_class = serializers.TestModel2Serializer
     queryset = models.Model2.objects.all()
+
+
+class TestBaseViewSet(PermissionViewMixin, VisibilityViewMixin, ModelViewSet):
+    permission_classes = [BaseDenyAll]
+    serializer_class = serializers.TestModel1Serializer
+    queryset = models.Model1.objects.all()