Hi everyone,
While diagnosing an API I noticed that DRF's "Permissions" framework returns HTTP codes inconsistent with HTTP. DRF returns `404` (Not found) for any error <https://github.com/encode/django-rest-framework/blob/master/rest_framework/permissions.py#L4>. By HTTP specification <https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/404> that indicates that the resource is not available on the server – an error unrelated to authentication or authorization. Django's Permissions framework manages that correctly, by returning 403 <https://docs.djangoproject.com/en/4.2/ref/views/#the-403-http-forbidden-view> . The correct behavior would be: - Return `401` if the user is not authenticated (IsAuthenticated() = False, i.e. AnonymousUser) - Return `403` if the user is authenticated but lacks permission (IsAuthenticated() is True but e.g. user requests access to an object belonging to other user) - Return `404` in other cases. This error is actually entirely beyond the scope of Permissions. Some thought around that: 1. DRF's Permissions framework is currently based on True/False results, making it impossible to distinguish between scenarios. That means you need to do away with the Permissions framework and DIY altogether if you want an API with correct HTTP error codes. 2. It's likely impossible to change those error codes by now anyway. 3. However, an option could be to introduce a different framework which also addresses the limitation of point #1. Thoughts? -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/e9c94e58-a0d6-4c5b-9251-8b1c413c820dn%40googlegroups.com.
