DjangoModelPermissions should perform auth check before accessing the view's queryset by rpkilby · Pull Request #5376 · encode/django-rest-framework (original) (raw)

The below will replicate the old behavior where MethodNotAllowed preceded the authentication check:

class DjangoModelPermissions(permissions.DjangoModelPermissions):

def has_permission(self, request, view):
    if request.method not in self.perms_map:
        raise exceptions.MethodNotAllowed(request.method)
    return super().has_permission(request, view)

This is an updated version of #5367 that includes a regression test.

Note:
This does slightly change the behavior for when the request has no authentication. Previously, if a user made an unauthenticated request, they would receive a 405. With the PR, users would receive the 401 first, then 405 once authenticated.

I'd argue that the change is more correct, given the general ordering of authentication, authorization, then method allowed checks. Either way, the old behavior can be replicated by moving the 405 check out of get_required_permissions() and into has_permission() before the request.user check.