Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.221.48; helo=mail-wr1-f48.google.com; envelope-from=sarahvboyce95@gmail.com; receiver=<UNKNOWN> 
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: [PATCH django-impersonate] Allow OPTIONS requests when READ_ONLY is
 True -
 Refs #69
Message-Id: <77c3932f8751d8457a92.1676804158@localhost.localdomain>
User-Agent: Mercurial-patchbomb/6.2.3
Date: Sun, 19 Feb 2023 11:55:58 +0100
From: =?iso-8859-1?q?Sarah_Boyce?= <sarahvboyce95@gmail.com>
To: ~petersanchez/public-inbox@lists.code.netlandish.com
Cc: sarahvboyce95@gmail.com

# HG changeset patch
# User sarahboyce@localhost.localdomain
# Date 1676370721 -3600
#      Tue Feb 14 11:32:01 2023 +0100
# Node ID 77c3932f8751d8457a92596acb8b6a8ba2f73dbb
# Parent  89fffb32473e64276ca1a114bd2291a08e078227
Allow OPTIONS requests when READ_ONLY is True - Refs #69

diff --git a/README.rst b/README.rst
--- a/README.rst
+++ b/README.rst
@@ -272,9 +272,9 @@
    READ_ONLY
 
 A boolean that if set to ``True`` any requests that are not either
-``GET`` or ``HEAD`` will result in a "Bad Request" response (status code
-405). Use this if you want to limit your impersonating users to read
-only impersonation sessions.
+``GET`` or ``HEAD`` or ``OPTIONS`` will result in a "Bad Request"
+response (status code 405). Use this if you want to limit your
+impersonating users to read only impersonation sessions.
 
 Value should be a boolean, defaults to ``False``
 
diff --git a/impersonate/admin.py b/impersonate/admin.py
--- a/impersonate/admin.py
+++ b/impersonate/admin.py
@@ -176,7 +176,7 @@
     # `return False` hides impersonates module in admin page
     def has_change_permission(self, request, obj=None):
         if settings.ADMIN_READ_ONLY:
-            return request.method in ['GET', 'HEAD']
+            return request.method in ['GET', 'HEAD', 'OPTIONS']
         return True
 
 
diff --git a/impersonate/middleware.py b/impersonate/middleware.py
--- a/impersonate/middleware.py
+++ b/impersonate/middleware.py
@@ -50,8 +50,8 @@
             except User.DoesNotExist:
                 return
 
-            if settings.READ_ONLY and request.method not in ['GET', 'HEAD']:
-                return HttpResponseNotAllowed(['GET', 'HEAD'])
+            if settings.READ_ONLY and request.method not in ['GET', 'HEAD', 'OPTIONS']:
+                return HttpResponseNotAllowed(['GET', 'HEAD', 'OPTIONS'])
 
             if check_allow_for_user(request, new_user) and check_allow_for_uri(
                 request.path
diff --git a/impersonate/tests.py b/impersonate/tests.py
--- a/impersonate/tests.py
+++ b/impersonate/tests.py
@@ -828,6 +828,8 @@
         self.assertTrue(model_admin.has_change_permission(request))
         request.method = 'HEAD'
         self.assertTrue(model_admin.has_change_permission(request))
+        request.method = 'OPTIONS'
+        self.assertTrue(model_admin.has_change_permission(request))
         request.method = 'POST'
         self.assertFalse(model_admin.has_change_permission(request))
 
@@ -842,5 +844,11 @@
     @override_settings(IMPERSONATE={'READ_ONLY': True})
     def test_impersonate_read_only(self):
         self._impersonate_helper('user1', 'foobar', 4)
-        resp = self.client.post('/not/real/url/')
+        resp = self.client.post(reverse('impersonate-test'))
         self.assertEqual(resp.status_code, 405)
+        resp = self.client.get(reverse('impersonate-test'))
+        self.assertEqual(resp.status_code, 200)
+        resp = self.client.head(reverse('impersonate-test'))
+        self.assertEqual(resp.status_code, 200)
+        resp = self.client.options(reverse('impersonate-test'))
+        self.assertEqual(resp.status_code, 200)