permission_classes = [IsAuthenticated] raises a 403 and not 401 #8958

golthmike · 2023-04-25T15:08:17Z

golthmike
Apr 25, 2023

Somehow using the permission class IsAuthenticated raises HTTP_403_FORBIDDEN and not HTTP_401_UNAUTHORIZED when users are not authenticated.

I believe the problem lies in the APIView's permission_denied method (code below).

Is this a bug or am I missing something?

def permission_denied(self, request, message=None, code=None):
    """
    If request is not permitted, determine what kind of exception to raise.
    """
    if request.authenticators and not request.successful_authenticator:
        raise exceptions.NotAuthenticated()
    raise exceptions.PermissionDenied(detail=message, code=code)

realsuayip · 2023-04-29T19:23:36Z

realsuayip
Apr 29, 2023

I think the behavior is dependent on the authentication class; which one are you using?

1 reply

golthmike May 3, 2023
Author

Oh great. Thanks for pointing that out!

I never set anything explicitly and couldn't find what is used by default. Do you happen to know that?

But SessionAuthentication raises a 403 by default so I guess that is what is used.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

permission_classes = [IsAuthenticated] raises a 403 and not 401 #8958

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

permission_classes = [IsAuthenticated] raises a 403 and not 401 #8958

Uh oh!

golthmike Apr 25, 2023

Replies: 1 comment · 1 reply

Uh oh!

realsuayip Apr 29, 2023

Uh oh!

golthmike May 3, 2023 Author

golthmike
Apr 25, 2023

Replies: 1 comment 1 reply

realsuayip
Apr 29, 2023

golthmike May 3, 2023
Author