Skip to content

Handle an edge case in the HTML rendering for ListCorpusMLClasses

Erwan Rouchet requested to merge handle-mlclass-list-html into master

Closes #1351 (closed)

When a logged-in user with guest access on a corpus tried to open /api/v1/corpus/<id>/classes/ in a web browser, they got a HTTP 500 because of a PermissionDenied exception that occurred beyond DRF's normal API error handling. This was due to the HTML renderer's weird way to get an HTML form from an API endpoint: it duplicates the real HTTP request, but changes its method from GET to POST. This caused our permission checks to get tighter, requiring contributor access, and caused the PermissionDenied.

This MR forces the permission checks to occur before the renderer kicks into action and caches them so they don't run again when the fake HTTP requests are made. There wasn't an easy way to just tell the renderer to not render the form, or to skip the get_serializer_context, or to make the check elsewhere.

Merge request reports

Loading