fix(api): confirm HTTP method is allowed before permission check

return HTTP/405 for logged in user ONLY!! !44 #159
nofusscomputing · Jul 29, 2024 · 3a9e4b2 · 3a9e4b2
1 parent 8d59462
commit 3a9e4b2
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/app/api/views/mixin.py b/app/api/views/mixin.py
@@ -1,6 +1,7 @@
 from django.core.exceptions import PermissionDenied
 from django.forms import ValidationError
 
+from rest_framework import exceptions
 from rest_framework.permissions import DjangoObjectPermissions
 
 from access.mixin import OrganizationMixin
@@ -28,12 +29,16 @@ def permission_check(self, request, view, obj=None) -> bool:
 
         self.request = request
 
+        method = self.request._request.method.lower()
+
+        if method.upper() not in view.allowed_methods:
+
+            view.http_method_not_allowed(request._request)
+
         if hasattr(view, 'queryset'):
             if view.queryset.model._meta:
                 self.obj = view.queryset.model
 
-        method = self.request._request.method.lower()
-
         object_organization = None
 
         if method == 'get':