No auth view failing permission should raise 403

johnraz · tomchristie · commit 78e4ea0d6e88 · 2016-04-07T16:24:26.000+01:00
A view with no `authentication_classes` set and that fails a

permission check should raise a 403 with the message from the

failing permission.
diff --git a/rest_framework/views.py b/rest_framework/views.py
@@ -162,7 +162,7 @@ def permission_denied(self, request, message=None):
         """
         If request is not permitted, determine what kind of exception to raise.
         """
-        if not request.successful_authenticator:
+        if request.authenticators and not request.successful_authenticator:
             raise exceptions.NotAuthenticated()
         raise exceptions.PermissionDenied(detail=message)
 
diff --git a/tests/test_authentication.py b/tests/test_authentication.py
@@ -321,3 +321,28 @@ def test_failing_auth_accessed_in_renderer(self):
         response = self.view(request)
         content = response.render().content
         self.assertEqual(content, b'not authenticated')
+
+
+class NoAuthenticationClassesTests(TestCase):
+    def test_permission_message_with_no_authentication_classes(self):
+        """
+        An unauthenticated request made against a view that containes no
+        `authentication_classes` but do contain `permissions_classes` the error
+        code returned should be 403 with the exception's message.
+        """
+
+        class DummyPermission(permissions.BasePermission):
+            message = 'Dummy permission message'
+
+            def has_permission(self, request, view):
+                return False
+
+        request = factory.get('/')
+        view = MockView.as_view(
+            authentication_classes=(),
+            permission_classes=(DummyPermission,),
+        )
+        response = view(request)
+        self.assertEqual(response.status_code,
+                         status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.data, {'detail': 'Dummy permission message'})
