Modify permission operands to use custom messages

rest_framework/exceptions.py

@@ -106,6 +106,17 @@ class APIException(Exception):
     default_code = 'error'
 
     def __init__(self, detail=None, code=None):
+        if (
+            isinstance(detail, tuple)
+            and isinstance(code, tuple)
+            and len(detail) == len(code)
+        ):
+            self.detail = [
+                _get_error_details(d or self.default_detail, c or self.default_code)
+                for d, c in zip(detail, code)
+            ]
+            return
+
         if detail is None:
             detail = self.default_detail
         if code is None:

rest_framework/permissions.py

@@ -58,48 +58,75 @@ def __hash__(self):
         return hash((self.operator_class, self.op1_class, self.op2_class))
 
 
-class AND:
-    def __init__(self, op1, op2):
-        self.op1 = op1
-        self.op2 = op2
+class OperatorBase:
+    def __init__(self, *permissions):
+        self._permissions = permissions
+
+
+class AND(OperatorBase):
 
     def has_permission(self, request, view):
-        return (
-            self.op1.has_permission(request, view) and
-            self.op2.has_permission(request, view)
-        )
+        for perm in self._permissions:
+            if not perm.has_permission(request, view):
+                self._set_message_and_code(perm)
+                return False
+        return True
 
     def has_object_permission(self, request, view, obj):
-        return (
-            self.op1.has_object_permission(request, view, obj) and
-            self.op2.has_object_permission(request, view, obj)
-        )
+        for perm in self._permissions:
+            if not perm.has_object_permission(request, view, obj):
+                self._set_message_and_code(perm)
+                return False
+        return True
 
+    def _set_message_and_code(self, perm):
+        self.message = getattr(perm, 'message', None)
+        self.code = getattr(perm, 'code', None)
 
-class OR:
-    def __init__(self, op1, op2):
-        self.op1 = op1
-        self.op2 = op2
+
+class OR(OperatorBase):
 
     def has_permission(self, request, view):
-        return (
-            self.op1.has_permission(request, view) or
-            self.op2.has_permission(request, view)
-        )
+        collector = ResultCollector()
+        for perm in self._permissions:
+            if perm.has_permission(request, view):
+                return True
+            else:
+                collector.add_message_and_code(perm)
+        collector.finalize(self)
+        return False
 
     def has_object_permission(self, request, view, obj):
-        return (
-            self.op1.has_permission(request, view)
-            and self.op1.has_object_permission(request, view, obj)
-        ) or (
-            self.op2.has_permission(request, view)
-            and self.op2.has_object_permission(request, view, obj)
-        )
+        collector = ResultCollector()
+        for perm in self._permissions:
+            if perm.has_permission(request, view) and perm.has_object_permission(request, view, obj):
+                return True
+            else:
+                collector.add_message_and_code(perm)
+        collector.finalize(self)
+        return False
+
+
+class ResultCollector:
+    def __init__(self):
+        self.messages = ()
+        self.codes = ()
+
+    def add_message_and_code(self, perm):
+        message = getattr(perm, 'message', None)
+        code = getattr(perm, 'code', None)
+        self.messages += (message,)
+        self.codes += (code,)
+
+    def finalize(self, perm):
+        perm.message = self.messages
+        perm.code = self.codes
 
 
 class NOT:
     def __init__(self, op1):
         self.op1 = op1
+        self.message = getattr(self.op1, 'message_inverted', None)
 
     def has_permission(self, request, view):
         return not self.op1.has_permission(request, view)

tests/test_permissions.py

@@ -12,12 +12,18 @@
     HTTP_HEADER_ENCODING, authentication, generics, permissions, serializers,
     status, views
 )
+from rest_framework.exceptions import ErrorDetail
 from rest_framework.routers import DefaultRouter
 from rest_framework.test import APIRequestFactory
 from tests.models import BasicModel
 
 factory = APIRequestFactory()
 
+DEFAULT_MESSAGE = ErrorDetail('You do not have permission to perform this action.', 'permission_denied')
+CUSTOM_MESSAGE_1 = ErrorDetail('Custom: You cannot access this resource', 'permission_denied_custom')
+CUSTOM_MESSAGE_2 = ErrorDetail('Custom: You do not have permission to view this resource', 'permission_denied_custom')
+INVERTED_MESSAGE = 'Inverted: Your account already active'
+
 
 class BasicSerializer(serializers.ModelSerializer):
     class Meta:
@@ -454,26 +460,42 @@ def has_permission(self, request, view):
 
 
 class BasicPermWithDetail(permissions.BasePermission):
-    message = 'Custom: You cannot access this resource'
+    message = CUSTOM_MESSAGE_1
+    message_inverted = INVERTED_MESSAGE
     code = 'permission_denied_custom'
 
     def has_permission(self, request, view):
         return False
 
 
+class AnotherBasicPermWithDetail(permissions.BasePermission):
+    message = CUSTOM_MESSAGE_2
+
+    def has_permission(self, request, view):
+        return False
+
+
 class BasicObjectPerm(permissions.BasePermission):
     def has_object_permission(self, request, view, obj):
         return False
 
 
 class BasicObjectPermWithDetail(permissions.BasePermission):
-    message = 'Custom: You cannot access this resource'
+    message = CUSTOM_MESSAGE_1
+    message_inverted = INVERTED_MESSAGE
     code = 'permission_denied_custom'
 
     def has_object_permission(self, request, view, obj):
         return False
 
 
+class AnotherBasicObjectPermWithDetail(permissions.BasePermission):
+    message = CUSTOM_MESSAGE_2
+
+    def has_object_permission(self, request, view, obj):
+        return False
+
+
 class PermissionInstanceView(generics.RetrieveUpdateDestroyAPIView):
     queryset = BasicModel.objects.all()
     serializer_class = BasicSerializer
@@ -487,6 +509,22 @@ class DeniedViewWithDetail(PermissionInstanceView):
     permission_classes = (BasicPermWithDetail,)
 
 
+class DeniedViewWithDetailAND1(PermissionInstanceView):
+    permission_classes = (BasicPermWithDetail & permissions.AllowAny,)
+
+
+class DeniedViewWithDetailAND2(PermissionInstanceView):
+    permission_classes = (permissions.AllowAny & AnotherBasicPermWithDetail,)
+
+
+class DeniedViewWithDetailAND3(PermissionInstanceView):
+    permission_classes = (BasicPermWithDetail & AnotherBasicPermWithDetail,)
+
+
+class DeniedViewWithDetailNOT(PermissionInstanceView):
+    permission_classes = (~BasicPermWithDetail,)
+
+
 class DeniedObjectView(PermissionInstanceView):
     permission_classes = (BasicObjectPerm,)
 
@@ -495,51 +533,177 @@ class DeniedObjectViewWithDetail(PermissionInstanceView):
     permission_classes = (BasicObjectPermWithDetail,)
 
 
+class DeniedObjectViewWithDetailAND1(PermissionInstanceView):
+    permission_classes = (BasicObjectPermWithDetail & permissions.AllowAny,)
+
+
+class DeniedObjectViewWithDetailAND2(PermissionInstanceView):
+    permission_classes = (permissions.AllowAny & AnotherBasicObjectPermWithDetail,)
+
+
+class DeniedObjectViewWithDetailAND3(PermissionInstanceView):
+    permission_classes = (AnotherBasicObjectPermWithDetail & BasicObjectPermWithDetail,)
+
+
+class DeniedObjectViewWithDetailNOT(PermissionInstanceView):
+    permission_classes = (~BasicObjectPermWithDetail,)
+
+
 denied_view = DeniedView.as_view()
 
 denied_view_with_detail = DeniedViewWithDetail.as_view()
 
+denied_view_with_detail_and_1 = DeniedViewWithDetailAND1.as_view()
+denied_view_with_detail_and_2 = DeniedViewWithDetailAND2.as_view()
+denied_view_with_detail_and_3 = DeniedViewWithDetailAND3.as_view()
+
+denied_view_with_detail_not = DeniedObjectViewWithDetailNOT.as_view()
+
 denied_object_view = DeniedObjectView.as_view()
 
 denied_object_view_with_detail = DeniedObjectViewWithDetail.as_view()
 
+denied_object_view_with_detail_and_1 = DeniedObjectViewWithDetailAND1.as_view()
+denied_object_view_with_detail_and_2 = DeniedObjectViewWithDetailAND2.as_view()
+denied_object_view_with_detail_and_3 = DeniedObjectViewWithDetailAND3.as_view()
+
+denied_object_view_with_detail_not = DeniedObjectViewWithDetailNOT.as_view()
+
 
 class CustomPermissionsTests(TestCase):
     def setUp(self):
         BasicModel(text='foo').save()
         User.objects.create_user('username', '[email protected]', 'password')
         credentials = basic_auth_header('username', 'password')
         self.request = factory.get('/1', format='json', HTTP_AUTHORIZATION=credentials)
-        self.custom_message = 'Custom: You cannot access this resource'
-        self.custom_code = 'permission_denied_custom'
 
     def test_permission_denied(self):
         response = denied_view(self.request, pk=1)
         detail = response.data.get('detail')
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-        self.assertNotEqual(detail, self.custom_message)
-        self.assertNotEqual(detail.code, self.custom_code)
+        self.assertEqual(detail, DEFAULT_MESSAGE)
 
     def test_permission_denied_with_custom_detail(self):
         response = denied_view_with_detail(self.request, pk=1)
         detail = response.data.get('detail')
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-        self.assertEqual(detail, self.custom_message)
-        self.assertEqual(detail.code, self.custom_code)
+        self.assertEqual(detail, CUSTOM_MESSAGE_1)
+
+    def test_permission_denied_with_custom_detail_and_1(self):
+        response = denied_view_with_detail_and_1(self.request, pk=1)
+        detail = response.data.get('detail')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, CUSTOM_MESSAGE_1)
+
+    def test_permission_denied_with_custom_detail_and_2(self):
+        response = denied_view_with_detail_and_2(self.request, pk=1)
+        detail = response.data.get('detail')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, CUSTOM_MESSAGE_2)
+
+    def test_permission_denied_with_custom_detail_and_3(self):
+        response = denied_view_with_detail_and_3(self.request, pk=1)
+        detail = response.data.get('detail')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, CUSTOM_MESSAGE_1)
+
+    def test_permission_denied_with_custom_detail_or_1(self):
+        view = PermissionInstanceView.as_view(
+            permission_classes=(BasicPerm | BasicPermWithDetail,),
+        )
+        response = view(self.request, pk=1)
+        detail = response.data
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, [DEFAULT_MESSAGE, CUSTOM_MESSAGE_1])
+
+    def test_permission_denied_with_custom_detail_or_2(self):
+        view = PermissionInstanceView.as_view(
+            permission_classes=(BasicPermWithDetail | BasicPerm,),
+        )
+        response = view(self.request, pk=1)
+        detail = response.data
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, [CUSTOM_MESSAGE_1, DEFAULT_MESSAGE])
+
+    def test_permission_denied_with_custom_detail_or_3(self):
+        view = PermissionInstanceView.as_view(
+            permission_classes=(BasicPermWithDetail | AnotherBasicPermWithDetail,),
+        )
+        response = view(self.request, pk=1)
+        detail = response.data
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, [CUSTOM_MESSAGE_1, CUSTOM_MESSAGE_2])
+
+    def test_permission_denied_with_custom_detail_not(self):
+        response = denied_view_with_detail_not(self.request, pk=1)
+        detail = response.data.get('detail')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, INVERTED_MESSAGE)
 
     def test_permission_denied_for_object(self):
         response = denied_object_view(self.request, pk=1)
         detail = response.data.get('detail')
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-        self.assertNotEqual(detail, self.custom_message)
-        self.assertNotEqual(detail.code, self.custom_code)
+        self.assertEqual(detail, DEFAULT_MESSAGE)
 
     def test_permission_denied_for_object_with_custom_detail(self):
         response = denied_object_view_with_detail(self.request, pk=1)
         detail = response.data.get('detail')
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-        self.assertEqual(detail, self.custom_message)
-        self.assertEqual(detail.code, self.custom_code)
+        self.assertEqual(detail, CUSTOM_MESSAGE_1)
+
+    def test_permission_denied_for_object_with_custom_detail_and_1(self):
+        response = denied_object_view_with_detail_and_1(self.request, pk=1)
+        detail = response.data.get('detail')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, CUSTOM_MESSAGE_1)
+
+    def test_permission_denied_for_object_with_custom_detail_and_2(self):
+        response = denied_object_view_with_detail_and_2(self.request, pk=1)
+        detail = response.data.get('detail')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, CUSTOM_MESSAGE_2)
+
+    def test_permission_denied_for_object_with_custom_detail_and_3(self):
+        response = denied_object_view_with_detail_and_3(self.request, pk=1)
+        detail = response.data.get('detail')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, CUSTOM_MESSAGE_2)
+
+    def test_permission_denied_for_object_with_custom_detail_or_1(self):
+        view = PermissionInstanceView.as_view(
+            permission_classes=(BasicObjectPerm | BasicObjectPermWithDetail,),
+        )
+        response = view(self.request, pk=1)
+        detail = response.data
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, [DEFAULT_MESSAGE, CUSTOM_MESSAGE_1])
+
+    def test_permission_denied_for_object_with_custom_detail_or_2(self):
+        view = PermissionInstanceView.as_view(
+            permission_classes=(BasicObjectPermWithDetail | BasicObjectPerm,),
+        )
+        response = view(self.request, pk=1)
+        detail = response.data
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, [CUSTOM_MESSAGE_1, DEFAULT_MESSAGE])
+
+    def test_permission_denied_for_object_with_custom_detail_or_3(self):
+        view = PermissionInstanceView.as_view(
+            permission_classes=(
+                BasicObjectPermWithDetail | AnotherBasicObjectPermWithDetail,
+            ),
+        )
+        response = view(self.request, pk=1)
+        detail = response.data
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, [CUSTOM_MESSAGE_1, CUSTOM_MESSAGE_2])
+
+    def test_permission_denied_for_object_with_custom_detail_not(self):
+        response = denied_object_view_with_detail_not(self.request, pk=1)
+        detail = response.data.get('detail')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(detail, INVERTED_MESSAGE)
 
 
 class PermissionsCompositionTests(TestCase):