API documentation templates do not check for user authentication · Issue #5162 · encode/django-rest-framework (original) (raw)

Skip to content

Navigation Menu

• • GitHub Copilot Write better code with AI
  • GitHub Advanced Security Find and fix vulnerabilities
  • Actions Automate any workflow
  • Codespaces Instant dev environments
  • Issues Plan and track work
  • Code Review Manage code changes
  • Discussions Collaborate outside of code
  • Code Search Find more, search less
• Explore
  • Learning Pathways
  • Events & Webinars
  • Ebooks & Whitepapers
  • Customer Stories
  • Partners
  • Executive Insights
• • GitHub Sponsors Fund open source developers
  • The ReadME Project GitHub community articles
• • Enterprise platform AI-powered developer platform
• Pricing

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign up

Description

Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

• Set up an example project based on DRF tutorial. Set DEFAULT_PERMISSION_CLASSES to rest_framework.permissions.IsAdminUser.
• Add the following to urls.py:

from rest_framework.documentation import include_docs_urls
url(r'^docs/', include_docs_urls(title='API Title', description='API description'))

• Now start your server and access localhost:8000/docs as an unauthenticated user; you get an AttributeError instead of 403.

Expected behavior

Users should not be able to access docs for restricted views and should see a 403.

Actual behavior

The template (document.html) doesn't check if user is authenticated or not (for restricted views) and tries to render a non-existing document object.