ViewSet called on detail delete handler on an action matched url with no delete allowed

[mozartilize]

Not sure if this is reported before

# views.py
from rest_framework.viewsets import ViewSet
from rest_framework.decorators import action
from django.http import HttpResponse


class Example(ViewSet):
    queryset = None

    def retrieve(self, request, pk):
        return HttpResponse(b"retrieve")

    def delete(self, request, pk):
        return HttpResponse(b"delete")

    @action(detail=True, methods=["post"])
    def custom(self, request, pk):
        return HttpResponse(b"custom")

# urls.py
from rest_framework import routers

from main.views import Example

router = routers.SimpleRouter(trailing_slash=False)
router.register(r'example', Example, basename="example")
urlpatterns = router.urls

$ curl -v -XDELETE localhost:5000/example/1/custom
*   Trying 127.0.0.1:5000...
* Connected to localhost (127.0.0.1) port 5000 (#0)
> DELETE /example/1/custom HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 20 Oct 2023 10:38:20 GMT
< Server: WSGIServer/0.2 CPython/3.10.12
< Content-Type: text/html; charset=utf-8
< Vary: Accept
< Allow: GET, DELETE, HEAD, OPTIONS
< Content-Length: 6
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
< Cross-Origin-Opener-Policy: same-origin
<
* Connection #0 to host localhost left intact
delete%

Expected 405 method not allowed

[mozartilize]

I could send a PR if you interest in this fix

--- views.py
+++ views.patch.py
@@ -479,6 +479,23 @@
             request.force_plaintext_errors(use_plaintext_traceback)
         raise exc

+    def get_action_handler_name(self, request):
+        # exit early if `detail` has not been provided
+        if self.detail is None:
+            return None
+
+        # filter for the relevant extra actions
+        actions = [
+            action for action in self.get_extra_actions()
+            if action.detail == self.detail
+        ]
+
+        for action in actions:
+            url_name = '%s-%s' % (self.basename, action.url_name)
+            if url_name == request.resolver_match.url_name and request.method.lower() in action.mapping:
+                return action.mapping[request.method.lower()]
+        return None
+
     # Note: Views are made CSRF exempt from within `as_view` as to prevent
     # accidental removal of this exemption in cases where `dispatch` needs to
     # be overridden.
@@ -497,7 +514,11 @@
             self.initial(request, *args, **kwargs)

             # Get the appropriate handler method
-            if request.method.lower() in self.http_method_names:
+            # action
+            if "name" in request.resolver_match.func.initkwargs:
+                action_name = self.get_action_handler_name(request)
+                handler = getattr(self, action_name) if action_name else self.http_method_not_allowed
+            elif request.method.lower() in self.http_method_names:
                 handler = getattr(self, request.method.lower(),
                                   self.http_method_not_allowed)
             else:

[kevin-brown]

This has to do with your use of the delete method which is the one defined by Django for views. DRF expects you to use the destroy method for DELETE calls made to the details endpoint.

[mozartilize]

@kevin-brown but I think it's still an issue when requested url is example/1/custom, not the detail only example/1

[kevin-brown]

Are you saying the destroy method (if defined instead of delete on your viewset) is being triggered upon a DELETE to a custom detail endpoint?

Right now if you keep it as the delete method (which is not supported by DRF, that's not an expected ViewSet method) then that method will always be triggered for any DELETE requests on your ViewSet. That's actually why it's not supported or documented, since the expectation is that the destroy method will be defined instead.

[mozartilize]

Thank for your explanation.