Good question! the answer lies in dispatch <https://github.com/encode/django-rest-framework/blob/master/rest_framework/views.py#L481-L508> ,
try: self.initial(request, *args, **kwargs) # Get the appropriate handler method if request.method.lower() in self.http_method_names: handler = getattr(self, request.method.lower(), self.http_method_not_allowed) else: handler = self.http_method_not_allowed which checks permissions and auth <https://github.com/encode/django-rest-framework/blob/master/rest_framework/views.py#L409-L411> So, due to this, the permission check occurs before the request method handler is resolved -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/7c15c795-bfcb-4194-95a8-cd384a6563d9%40googlegroups.com.