Hi,

This is too abstract without a test case to demonstrate the issue.
It seems to me that your issue may happen if a permission doesn't inherit BasePermission in which case they can not be composed.

@xordoquy I explained the case in the description but here is an explicit test case:

from django.contrib.auth.models import User
from django.test.client import RequestFactory
from mock import MagicMock
from rest_framework.permissions import AllowAny, IsAuthenticated

user = User.objects.create_user(username='tester', email='test@test.com', password='top_secret')
rf = RequestFactory()
request = rf.get('/')
request.user = MagicMock()

ret = AllowAny().has_permission(request, None) & IsAuthenticated().has_permission(request, None)

The last line raises:
TypeError: unsupported operand type(s) for &: 'bool' and 'instance'

The reason this occurs is explained in my original description.

Updated test cases to reflect the change in django. Is there a way to use a real django user object instead of FakeUser? I believe that wouldve caught this case.

@markddavidoff if fact, you don't want a user if you want the test to fail.
I first ran your test with:

request.user = user

and it wouldn't fail until I correct that part with:

request.user = None

in which case it would now fail.
I'm not sure what's that story about CallableBool is.

@xordoquy what version of django are you using when you run the test. CallableBool is in Django versions: Django 1.10.0-Django 2.1.2.

I don't understand your last comment at all. The issue is with is_authenticated returning an object not a bool. Steps for you to repro this:

• Install Django 1.11.16
• change FakeUser in test_permissions to return CallableBool as I have or user a real User object.
• run the tests or the snippet I provided above.

@xordoquy I have added this pr: #6287 to show you the issue, with just the test change. look at the output to the django 1.11 output

Django source code where CallableBool is returned

OK, I get it.
CallableBool is only available for Django 1.11 as it's on the path of the is_authenticated migration from a function to a property.
The Django 2.0 release notes state:

Using User.is_authenticated() and User.is_anonymous() as methods rather than properties is no longer supported.

This being said, you demonstrated an issue when there's no user to a request (whatever reason there might be). So I'll be willing to fix it though not spending too much time on the CallableBool as the next minor will drop support for Django 1.11 anyway.

Sure thing, but you'll need to find a workaround for the test to pass for Django 2.0+
I'll check tonight how that can be solved.

Fixed test

@xordoquy updated test

Thanks for the PR, nice work.