Skip to content

D
django-rest-framework
Commit 78e4ea0d by Jonathan Liuti Committed by Tom Christie
Options

No auth view failing permission should raise 403 

A view with no `authentication_classes` set and that fails a

permission check should raise a 403 with the message from the

failing permission.
parent 6a291967
Showing with 26 additions and 1 deletions
rest_framework/views.py
......@@ -162,7 +162,7 @@ class APIView(View):
"""
If request is not permitted, determine what kind of exception to raise.
"""
if not request.successful_authenticator:
if request.authenticators and not request.successful_authenticator:
raise exceptions.NotAuthenticated()
raise exceptions.PermissionDenied(detail=message)
......
tests/test_authentication.py
......@@ -321,3 +321,28 @@ class FailingAuthAccessedInRenderer(TestCase):
response = self.view(request)
content = response.render().content
self.assertEqual(content, b'not authenticated')
class NoAuthenticationClassesTests(TestCase):
def test_permission_message_with_no_authentication_classes(self):
"""
An unauthenticated request made against a view that containes no
`authentication_classes` but do contain `permissions_classes` the error
code returned should be 403 with the exception's message.
"""
class DummyPermission(permissions.BasePermission):
message = 'Dummy permission message'
def has_permission(self, request, view):
return False
request = factory.get('/')
view = MockView.as_view(
authentication_classes=(),
permission_classes=(DummyPermission,),
)
response = view(request)
self.assertEqual(response.status_code,
status.HTTP_403_FORBIDDEN)
self.assertEqual(response.data, {'detail': 'Dummy permission message'})
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment