From 3a9e4b29b3586531969c7e2677e72fde5f261983 Mon Sep 17 00:00:00 2001
From: Jon <jonathon.lockwood@networkedweb.com>
Date: Mon, 29 Jul 2024 17:02:52 +0930
Subject: [PATCH] fix(api): confirm HTTP method is allowed before permission
 check

return HTTP/405 for logged in user ONLY!!

!44 #159
---
 app/api/views/mixin.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/api/views/mixin.py b/app/api/views/mixin.py
index 5f205db4..e2d77bc8 100644
--- a/app/api/views/mixin.py
+++ b/app/api/views/mixin.py
@@ -1,6 +1,7 @@
 from django.core.exceptions import PermissionDenied
 from django.forms import ValidationError
 
+from rest_framework import exceptions
 from rest_framework.permissions import DjangoObjectPermissions
 
 from access.mixin import OrganizationMixin
@@ -28,12 +29,16 @@ def permission_check(self, request, view, obj=None) -> bool:
 
         self.request = request
 
+        method = self.request._request.method.lower()
+
+        if method.upper() not in view.allowed_methods:
+
+            view.http_method_not_allowed(request._request)
+
         if hasattr(view, 'queryset'):
             if view.queryset.model._meta:
                 self.obj = view.queryset.model
 
-        method = self.request._request.method.lower()
-
         object_organization = None
 
         if method == 'get':