Received: from mail.netlandish.com (mail.netlandish.com [174.136.98.166])
	by code.netlandish.com (Postfix) with ESMTP id 8F4078318B
	for <~petersanchez/public-inbox@lists.code.netlandish.com>; Sun, 19 Feb 2023 20:59:40 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.128.43; helo=mail-wm1-f43.google.com; envelope-from=sarahvboyce95@gmail.com; receiver=<UNKNOWN> 
Authentication-Results: mail.netlandish.com;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=O94T2f+o
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43])
	by mail.netlandish.com (Postfix) with ESMTP id B0964152E8A
	for <~petersanchez/public-inbox@lists.code.netlandish.com>; Sun, 19 Feb 2023 20:59:37 +0000 (UTC)
Received: by mail-wm1-f43.google.com with SMTP id j41-20020a05600c1c2900b003e1e754657aso958890wms.2
        for <~petersanchez/public-inbox@lists.code.netlandish.com>; Sun, 19 Feb 2023 12:59:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=to:from:date:user-agent:message-id:subject
         :content-transfer-encoding:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SB3lh2b1e/DsAHpX1rxBa2DYgwbtOo1CGdA3CJzvvbA=;
        b=O94T2f+ocztUKN86QWdT8CZBUGH8pJHcNTlHGAJ557kHO9+4Pv35uAHe5ev3gVUVRN
         BA05ca3zRGlaaYsGjXdTG7DtqFjxODSGGT+ch9aPDZlCWOI1KY8Ld2GgdiVPUKq1++MX
         KJS+yt8yGuYDGyb01sV7vfwtV35zuAYQyKfERkfQ/yT7mQtnolP6435U9APY415/v5Gp
         fPqrQTLWEYYvXmgUGE5cy462tKbT7m0thOgsV0qEhg5R9xizpiJ1jpCUPZSu56QMXZv2
         6CbKjKjTI1oe9uCcVc0aoy0WRPKoDzV/n82Anpfb0Uj+VFT3iDwLnDv2WyKvOWKOvEb6
         Kv3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:from:date:user-agent:message-id:subject
         :content-transfer-encoding:mime-version:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=SB3lh2b1e/DsAHpX1rxBa2DYgwbtOo1CGdA3CJzvvbA=;
        b=zPnUa6mrhTgCGeORob/W8KnNvp9iQ9grNKR4FdN9Ffb1EUJjgajev8L9+E2BfHDlNQ
         W4eqfPzgMyLULvMWiBzSFT3Ujhp7pw5uph1KleuIeZYb9FC6roEc8mliXmDILQqkq1EC
         0Pc4H0HmDbZ7q1RW0G5PSYI7E+Yrdxdj1Bjx22NbvMZbgqp7byEP22L0URk1pED2oZT0
         fkqUihjICV1w090tMskl5IcksHhkmOf/SEhFUJoH5cxnH+Dr3C1TQ08/mJ9xGkJ9J0OQ
         SPixT0zD/QzO22e2Rxix+d0ireHyPkwF+1vk37hK532iuE4zXCorx8nw9fyLRII3uVvt
         OdQw==
X-Gm-Message-State: AO0yUKVv4fgzJi+a+2QaU65PnbLcjQr4F8SYNoy7APdxPmdo0Lm7yUkg
	EvXczCqh84XOiSrxSIJgPUYJguxw314=
X-Google-Smtp-Source: AK7set8En0qWZCM7rf9g1vtUfjW365gMLCaEY1A14Xm3ddiB6Jn12mj4rVSNgx8Y8+H9TK2RqJIZsQ==
X-Received: by 2002:a05:600c:4d05:b0:3dc:5937:35a2 with SMTP id u5-20020a05600c4d0500b003dc593735a2mr6193920wmp.9.1676840376562;
        Sun, 19 Feb 2023 12:59:36 -0800 (PST)
Received: from localhost.localdomain (2a0a-a541-b663-0-f165-7174-1322-624e.ipv6dyn.netcologne.de. [2a0a:a541:b663:0:f165:7174:1322:624e])
        by smtp.gmail.com with ESMTPSA id y25-20020a1c4b19000000b003dc4480df80sm8547100wma.34.2023.02.19.12.59.35
        for <~petersanchez/public-inbox@lists.code.netlandish.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 19 Feb 2023 12:59:36 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: [PATCH 1 of 2 django-impersonate] Allow OPTIONS requests when
 READ_ONLY is
 True - Refs #69
X-Mercurial-Node: 77c3932f8751d8457a92596acb8b6a8ba2f73dbb
X-Mercurial-Series-Index: 1
X-Mercurial-Series-Total: 2
Message-Id: <77c3932f8751d8457a92.1676840363@localhost.localdomain>
X-Mercurial-Series-Id: <77c3932f8751d8457a92.1676840363@localhost.localdomain>
User-Agent: Mercurial-patchbomb/6.2.3
Date: Sun, 19 Feb 2023 21:59:23 +0100
From: =?iso-8859-1?q?Sarah_Boyce?= <sarahvboyce95@gmail.com>
To: ~petersanchez/public-inbox@lists.code.netlandish.com

# HG changeset patch
# User sarahboyce@localhost.localdomain
# Date 1676370721 -3600
#      Tue Feb 14 11:32:01 2023 +0100
# Node ID 77c3932f8751d8457a92596acb8b6a8ba2f73dbb
# Parent  89fffb32473e64276ca1a114bd2291a08e078227
Allow OPTIONS requests when READ_ONLY is True - Refs #69

diff --git a/README.rst b/README.rst
--- a/README.rst
+++ b/README.rst
@@ -272,9 +272,9 @@
    READ_ONLY
 
 A boolean that if set to ``True`` any requests that are not either
-``GET`` or ``HEAD`` will result in a "Bad Request" response (status code
-405). Use this if you want to limit your impersonating users to read
-only impersonation sessions.
+``GET`` or ``HEAD`` or ``OPTIONS`` will result in a "Bad Request"
+response (status code 405). Use this if you want to limit your
+impersonating users to read only impersonation sessions.
 
 Value should be a boolean, defaults to ``False``
 
diff --git a/impersonate/admin.py b/impersonate/admin.py
--- a/impersonate/admin.py
+++ b/impersonate/admin.py
@@ -176,7 +176,7 @@
     # `return False` hides impersonates module in admin page
     def has_change_permission(self, request, obj=None):
         if settings.ADMIN_READ_ONLY:
-            return request.method in ['GET', 'HEAD']
+            return request.method in ['GET', 'HEAD', 'OPTIONS']
         return True
 
 
diff --git a/impersonate/middleware.py b/impersonate/middleware.py
--- a/impersonate/middleware.py
+++ b/impersonate/middleware.py
@@ -50,8 +50,8 @@
             except User.DoesNotExist:
                 return
 
-            if settings.READ_ONLY and request.method not in ['GET', 'HEAD']:
-                return HttpResponseNotAllowed(['GET', 'HEAD'])
+            if settings.READ_ONLY and request.method not in ['GET', 'HEAD', 'OPTIONS']:
+                return HttpResponseNotAllowed(['GET', 'HEAD', 'OPTIONS'])
 
             if check_allow_for_user(request, new_user) and check_allow_for_uri(
                 request.path
diff --git a/impersonate/tests.py b/impersonate/tests.py
--- a/impersonate/tests.py
+++ b/impersonate/tests.py
@@ -828,6 +828,8 @@
         self.assertTrue(model_admin.has_change_permission(request))
         request.method = 'HEAD'
         self.assertTrue(model_admin.has_change_permission(request))
+        request.method = 'OPTIONS'
+        self.assertTrue(model_admin.has_change_permission(request))
         request.method = 'POST'
         self.assertFalse(model_admin.has_change_permission(request))
 
@@ -842,5 +844,11 @@
     @override_settings(IMPERSONATE={'READ_ONLY': True})
     def test_impersonate_read_only(self):
         self._impersonate_helper('user1', 'foobar', 4)
-        resp = self.client.post('/not/real/url/')
+        resp = self.client.post(reverse('impersonate-test'))
         self.assertEqual(resp.status_code, 405)
+        resp = self.client.get(reverse('impersonate-test'))
+        self.assertEqual(resp.status_code, 200)
+        resp = self.client.head(reverse('impersonate-test'))
+        self.assertEqual(resp.status_code, 200)
+        resp = self.client.options(reverse('impersonate-test'))
+        self.assertEqual(resp.status_code, 200)