Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (No auth view failing permission should raise 403 #4040)

Steps to reproduce

Create a view with no authentication_classes set and a permission_classes set. Query the view in order to fail the permission check.

Expected behavior

A 403 with the permission's message should be returned.

Actual behavior

A 401 with a "Not authenticated" message is returned.

This is slightly related to #3754, the main difference being that this issue is only concerned about view with no authentication_classes and #3754 is about prioritizing permissions over authentication in views with authentication_classes.