merge

api/permissions.py

@@ -63,7 +63,7 @@ def _get_param_in_view(view, param_name):
         "cannot apply {} on a view that does not set "
         "`.{}` or have a `.get_{}()` method."
     ).format(
-        self.__class__.__name__, param_name, param_name
+        view.__class__.__name__, param_name, param_name
     )
 
     if hasattr(view, "get_" + param_name):
@@ -213,7 +213,7 @@ class AutodetectACLPermission(permissions.BasePermission):
 
         return [perm(obj) for perm in self.perms_obj_map[method]]
 
-    @staticmethod
+    @ staticmethod
     def _queryset(view):
         return _get_param_in_view(view, "queryset")
 
@@ -240,9 +240,7 @@ class AutodetectACLPermission(permissions.BasePermission):
         if getattr(view, "_ignore_model_permissions", False):
             return True
 
-        # Bypass permission verifications if it is a functional view
+        if not getattr(view, "queryset", None):
-        # (permissions are handled by ACL)
-        if not hasattr(view, "queryset") and not hasattr(view, "get_queryset"):
             return True
 
         if not request.user or not request.user.is_authenticated:
@@ -279,7 +277,8 @@ class AutodetectACLPermission(permissions.BasePermission):
             # they have read permissions to see 403, or not, and simply see
             # a 404 response.
 
-            SAFE_METHODS = ("GET", "OPTIONS", "HEAD", "POST", "PUT", "PATCH", "DELETE")
+            SAFE_METHODS = ("GET", "OPTIONS", "HEAD",
+                            "POST", "PUT", "PATCH", "DELETE")
 
             if request.method in SAFE_METHODS:
                 # Read permissions already checked and failed, no need