Received: from mail.netlandish.com (mail.netlandish.com [174.136.98.166]) by code.netlandish.com (Postfix) with ESMTP id 4DEFE83181 for <~petersanchez/public-inbox@lists.code.netlandish.com>; Sun, 19 Feb 2023 10:56:12 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.221.48; helo=mail-wr1-f48.google.com; envelope-from=sarahvboyce95@gmail.com; receiver= Authentication-Results: mail.netlandish.com; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=hDmB268A Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by mail.netlandish.com (Postfix) with ESMTP id 51B2C152E8A for <~petersanchez/public-inbox@lists.code.netlandish.com>; Sun, 19 Feb 2023 10:56:09 +0000 (UTC) Received: by mail-wr1-f48.google.com with SMTP id b10so106557wrx.11 for <~petersanchez/public-inbox@lists.code.netlandish.com>; Sun, 19 Feb 2023 02:56:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:from:date:user-agent:message-id:subject :content-transfer-encoding:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=SB3lh2b1e/DsAHpX1rxBa2DYgwbtOo1CGdA3CJzvvbA=; b=hDmB268AG0tLf/U3UhDAoyaw0TUDpifcec4rZxGOe3Fds3rEtU/yI5LH55ugd56jc7 lWuSSIiMae/HsN9bpQ7nZclSkDPnk3Tl+1KYkhbFYepg8F4Ooew1qdJ5vmo70bxrqXyC RvjX3DZnueMjSf7/QDYoX17dK4X37gS0ACktloeDJM54PMiemGCOUFyirh7fyEDDsIdQ 6YnGWtfYIV3kbSNstRHTQn8uyU4Y1fJ1oBAKegbSAX2OkPxEYSNSgJLmw9k7Q0J4U6EC VNnL6+W5hOSgCFq60kuAoeQRkGTTmcJTClkcsBvuDGJuhS+3P+6jlDqfXApEzDEs4ndG r8tA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:date:user-agent:message-id:subject :content-transfer-encoding:mime-version:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=SB3lh2b1e/DsAHpX1rxBa2DYgwbtOo1CGdA3CJzvvbA=; b=cOyiuyy4tSknGTaCEjgsIwsKUdwUgZSJc/1tUH7tR+3XSl3cBhWLR06+z6A91QZh/A gEXCWqP744EcGGTCzrOqnz7B9hziTNFYjghdq0LDYy57O01gEjZuX4rHHNKB8xip//Q8 pOnV9eNxKRjwjmcseVTP6pkvEW2M/XhRtGCtIaIaoF26oONqJ4XnZo9vewQ2k+ydQHyE sWHanflGA+ReepFb4RYukYkadXznleYDKrwvJPk2FLNTdNrg3xO1mTxyRXh1ZPYwCydN WiYOXSmc9L+dimQKc6NxjPWYOZv3pik78ufOMFqy/QUF53a9yMcfHSK6zMs/LmSKA7mb +A7g== X-Gm-Message-State: AO0yUKXnQ2Ui9tpyDwHihgugV6bpWzw9uGg8FAFyqkMuw+Iic94v6r5E EcWO+c4h6MwpkApwP7H502I75rxGRaFy7g== X-Google-Smtp-Source: AK7set98mftVxxS1xsz35N0ETOzGNcp6iKg8GFy8adpKjgxeJHBNTnQX7u59C/Wsxg1aNEW8xkB6CA== X-Received: by 2002:a5d:60d2:0:b0:2c5:7f21:1277 with SMTP id x18-20020a5d60d2000000b002c57f211277mr1683431wrt.68.1676804168490; Sun, 19 Feb 2023 02:56:08 -0800 (PST) Received: from localhost.localdomain (2a0a-a541-b663-0-f165-7174-1322-624e.ipv6dyn.netcologne.de. [2a0a:a541:b663:0:f165:7174:1322:624e]) by smtp.gmail.com with ESMTPSA id d11-20020adffd8b000000b002c54536c662sm9091097wrr.34.2023.02.19.02.56.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Feb 2023 02:56:08 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: [PATCH django-impersonate] Allow OPTIONS requests when READ_ONLY is True - Refs #69 X-Mercurial-Node: 77c3932f8751d8457a92596acb8b6a8ba2f73dbb X-Mercurial-Series-Index: 1 X-Mercurial-Series-Total: 1 Message-Id: <77c3932f8751d8457a92.1676804158@localhost.localdomain> X-Mercurial-Series-Id: <77c3932f8751d8457a92.1676804158@localhost.localdomain> User-Agent: Mercurial-patchbomb/6.2.3 Date: Sun, 19 Feb 2023 11:55:58 +0100 From: =?iso-8859-1?q?Sarah_Boyce?= To: ~petersanchez/public-inbox@lists.code.netlandish.com Cc: sarahvboyce95@gmail.com # HG changeset patch # User sarahboyce@localhost.localdomain # Date 1676370721 -3600 # Tue Feb 14 11:32:01 2023 +0100 # Node ID 77c3932f8751d8457a92596acb8b6a8ba2f73dbb # Parent 89fffb32473e64276ca1a114bd2291a08e078227 Allow OPTIONS requests when READ_ONLY is True - Refs #69 diff --git a/README.rst b/README.rst --- a/README.rst +++ b/README.rst @@ -272,9 +272,9 @@ READ_ONLY A boolean that if set to ``True`` any requests that are not either -``GET`` or ``HEAD`` will result in a "Bad Request" response (status code -405). Use this if you want to limit your impersonating users to read -only impersonation sessions. +``GET`` or ``HEAD`` or ``OPTIONS`` will result in a "Bad Request" +response (status code 405). Use this if you want to limit your +impersonating users to read only impersonation sessions. Value should be a boolean, defaults to ``False`` diff --git a/impersonate/admin.py b/impersonate/admin.py --- a/impersonate/admin.py +++ b/impersonate/admin.py @@ -176,7 +176,7 @@ # `return False` hides impersonates module in admin page def has_change_permission(self, request, obj=None): if settings.ADMIN_READ_ONLY: - return request.method in ['GET', 'HEAD'] + return request.method in ['GET', 'HEAD', 'OPTIONS'] return True diff --git a/impersonate/middleware.py b/impersonate/middleware.py --- a/impersonate/middleware.py +++ b/impersonate/middleware.py @@ -50,8 +50,8 @@ except User.DoesNotExist: return - if settings.READ_ONLY and request.method not in ['GET', 'HEAD']: - return HttpResponseNotAllowed(['GET', 'HEAD']) + if settings.READ_ONLY and request.method not in ['GET', 'HEAD', 'OPTIONS']: + return HttpResponseNotAllowed(['GET', 'HEAD', 'OPTIONS']) if check_allow_for_user(request, new_user) and check_allow_for_uri( request.path diff --git a/impersonate/tests.py b/impersonate/tests.py --- a/impersonate/tests.py +++ b/impersonate/tests.py @@ -828,6 +828,8 @@ self.assertTrue(model_admin.has_change_permission(request)) request.method = 'HEAD' self.assertTrue(model_admin.has_change_permission(request)) + request.method = 'OPTIONS' + self.assertTrue(model_admin.has_change_permission(request)) request.method = 'POST' self.assertFalse(model_admin.has_change_permission(request)) @@ -842,5 +844,11 @@ @override_settings(IMPERSONATE={'READ_ONLY': True}) def test_impersonate_read_only(self): self._impersonate_helper('user1', 'foobar', 4) - resp = self.client.post('/not/real/url/') + resp = self.client.post(reverse('impersonate-test')) self.assertEqual(resp.status_code, 405) + resp = self.client.get(reverse('impersonate-test')) + self.assertEqual(resp.status_code, 200) + resp = self.client.head(reverse('impersonate-test')) + self.assertEqual(resp.status_code, 200) + resp = self.client.options(reverse('impersonate-test')) + self.assertEqual(resp.status_code, 200)