From d4b8d35206f9429d501cc4c4e89704284397c5cd Mon Sep 17 00:00:00 2001
From: Pierre-antoine Comby <comby@crans.org>
Date: Tue, 24 Mar 2020 20:16:56 +0100
Subject: [PATCH] check permission with PermissionBackend.

taking connection permission mask into account.
---
 apps/permission/backends.py    | 1 +
 apps/permission/permissions.py | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/permission/backends.py b/apps/permission/backends.py
index e61b0719..62b0c09f 100644
--- a/apps/permission/backends.py
+++ b/apps/permission/backends.py
@@ -89,6 +89,7 @@ class PermissionBackend(ModelBackend):
             query = query | perm.query
         return query
 
+    @staticmethod
     def has_perm(self, user_obj, perm, obj=None):
         if user_obj is None or isinstance(user_obj, AnonymousUser):
             return False
diff --git a/apps/permission/permissions.py b/apps/permission/permissions.py
index d9816a63..9fb36f35 100644
--- a/apps/permission/permissions.py
+++ b/apps/permission/permissions.py
@@ -41,8 +41,8 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
         user = request.user
 
         perms = self.get_required_object_permissions(request.method, model_cls)
-
-        if not user.has_perms(perms, obj):
+        # if not user.has_perms(perms, obj):
+        if not all(PermissionBackend.has_perm(user, perm, obj) for perm in perms):
             # If the user does not have permissions we need to determine if
             # they have read permissions to see 403, or not, and simply see
             # a 404 response.
-- 
GitLab