2

Whenever the browser sends an OPTIONS request, Django REST registers that as a PUT request.

I was writing my permission code when I noticed it. I use the default request parameter that is passed into the def has_object_permission( self, request, view, obj ):.

Using request.method will return the correct request method for every request except for OPTIONS. However, when I use request.method in a my get_permission( self, request, view ): function in a different part of the project, correct response is returned. Could there be something wrong with the has_object_permission() function?

Currently I just check if the request is PUT, as I believe PUT requests are not used by Django anyway. But it would be nice if I could use the actual name instead.

My Django REST version is 3.9.0

Aivaras Kriksciunas
  • 392
  • 1
  • 4
  • 9

1 Answers1

0

OPTIONS requests are often used for what are called "pre-flight" requests in Cross-origin resource sharing (CORS). This is not anything wrong with has_object_permission(), it's just that these pre-flight requests are probably not intended to handled by your view. There is a more detailed answer in this SO post: https://stackoverflow.com/a/29954326/784648

A. J. Parr
  • 6,207
  • 1
  • 25
  • 44
  • I understand what OPTIONS is, and I already have middleware that handles CORS. However Django still handles them and returns some data about that endpoint. It's not bad, but what's annoying is that OPTIONS triggers `has_object_permisssion()` method, in which I check authentication. Is there a way to prevent GenericAPIView from checking object permissions if the request is OPTIONS ? – Aivaras Kriksciunas Feb 18 '19 at 09:30