Did you properly setup your authentication and permission classes, either on settings or view?
This situation never happened to me, and DFR always returned the correct HTTP status codes. 404, 401 or 403. On Sun, Apr 30, 2023, 07:33 Michele <m...@sshguard.net> wrote: > Hi everyone, > > > While diagnosing an API I noticed that DRF's "Permissions" framework > returns HTTP codes inconsistent with HTTP. > > > DRF returns `404` (Not found) for any error > <https://github.com/encode/django-rest-framework/blob/master/rest_framework/permissions.py#L4>. > By HTTP specification > <https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/404> that > indicates that the resource is not available on the server – an error > unrelated to authentication or authorization. > > > Django's Permissions framework manages that correctly, by returning 403 > <https://docs.djangoproject.com/en/4.2/ref/views/#the-403-http-forbidden-view> > . > > > The correct behavior would be: > > - Return `401` if the user is not authenticated (IsAuthenticated() = > False, i.e. AnonymousUser) > - Return `403` if the user is authenticated but lacks permission > (IsAuthenticated() is True but e.g. user requests access to an object > belonging to other user) > - Return `404` in other cases. This error is actually entirely beyond > the scope of Permissions. > > Some thought around that: > > 1. DRF's Permissions framework is currently based on True/False > results, making it impossible to distinguish between scenarios. That means > you need to do away with the Permissions framework and DIY altogether if > you want an API with correct HTTP error codes. > 2. It's likely impossible to change those error codes by now anyway. > 3. However, an option could be to introduce a different framework > which also addresses the limitation of point #1. > > Thoughts? > > -- > You received this message because you are subscribed to the Google Groups > "Django REST framework" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-rest-framework+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-rest-framework/e9c94e58-a0d6-4c5b-9251-8b1c413c820dn%40googlegroups.com > <https://groups.google.com/d/msgid/django-rest-framework/e9c94e58-a0d6-4c5b-9251-8b1c413c820dn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/CA%2Ba7aJ3wxcJ9yh3NX1rKx7PtJq5HfQA-co4fTBuFGopc%3DDouqA%40mail.gmail.com.
