Skip to content

DjangoModelPermissions shows API root for unauthenticated users #8425

New issue
New issue
Closed
Closed
DjangoModelPermissions shows API root for unauthenticated users#8425
Labels
Bug
Milestone
 
3.15
@mschoettle

Description

@mschoettle
mschoettle
opened on Mar 24, 2022

I noticed that when using permissions.IsAuthenticated, the APIRootView returns a 403. However, when using DjangoModelPermissions this is not the case. It does show the root with all available endpoints.

DjangoModelPermissions.has_permission(...) does have a check to ensure the user is authenticated in the code (introduced in #5376) but it happens after the special case handling is done for APIRootView (introduced in #2905).

django-rest-framework/rest_framework/permissions.py

Lines 219 to 227 in 7e4e6d2

def has_permission(self, request, view):
# Workaround to ensure DjangoModelPermissions are not applied
# to the root view when using DefaultRouter.
if getattr(view, '_ignore_model_permissions', False):
return True
if not request.user or (
not request.user.is_authenticated and self.authenticated_users_only):
return False

The authentication check should come first followed by the special case for APIRootView to be consistent with other permission classes.

I would be happy to provide a PR to address this.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions