Rejecting anonymous in DjangoModelPermissions before the get_queryset call by theoden-dd · Pull Request #5367 · encode/django-rest-framework (original) (raw)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, yes. It was a surprise for me, too.

These tests became broken, since they used anonymous users (accidentally, I think) and started to retrieve "403 forbidden" instead of "405 not allowed". That's connected with the priority of permission checks, which is higher than most of other checks.

So, all I did - just changed users to authenticated ones in these tests.