Django rest framework Anonymous user is always Authenticated

Question

I'm trying to authenticate my web API method using django rest framework isauthenticated permission and TokenAuthentication The API method:

@api_view(['Post'])
@permission_classes((IsAuthenticated,))
def listofgroups(request):
    try:
        logout(request)
        data = request.data
        page_size = data.get('pagesize')
        page_number = data.get('pagenumber')
        group_qs = Group.objects.all()
        paginator = Paginator(group_qs, int(page_size))
        group_list = paginator.page(int(page_number))
        #group_list = tools.paginate_query_set(group_qs, 1, 3)
        #list  = group_list[0]['model']
        groups = [get_group_dto(g) for g in group_list]
        sorted_groups = sorted(groups, key=lambda k: k['user_count'], reverse = True)
        group_list_dto = {
        "grps": sorted_groups, 
        "success":1,
        "fail":0
        }
        return Response(group_list_dto)
    except Exception as e:
        #.error("Error %s"(e), exc_info = 1) 
        return Response({"success" : 0, "error": str(e)})

Basically i should always set Authorization in the header like :

"Authorization":"Token a26171d30745cc94bcd6ac42d9bc94e1d3992948"

this token is based on rest_framework.authtoken

The Error is that I can get the data with response 200 without even setting the Token in the header because its returning anonymous user which is authenticated from the back end in django.

How can I prevent anonymous users from being authenticated and return 403 response error for them using django rest framework

I appreciate any help

what are the facts about your asserts ?I checked several times so far and anonymous users will fail IsAuthenticated. Most likely you are logged with the sessions. — Linovia, Dec 07 '17 at 13:41
@Linovia I think you are right i think also i'm logged in with sessions is there anyway that i can kill this session and is there a way to prevent anonymous users from calling this api ?? — Ahmad Haidar, Dec 07 '17 at 13:46
@Hayden I don't have a login and logout functions i'm using token based authentication in django rest framework but the sessions are always enabled in django — Ahmad Haidar, Dec 07 '17 at 13:47
no, they are enabled because the default uses them. Tune your DRF settings to get rid of them for the API part and enjoy — Linovia, Dec 07 '17 at 13:54
How can I do that can you give me an example please thank you alot @Linovia — Ahmad Haidar, Dec 07 '17 at 14:01
It should be in the authentication part of the DRF documentation. — Linovia, Dec 07 '17 at 14:04
@Linovia it is not working i'm stuck in this, i posted before this issue [link](https://stackoverflow.com/questions/47677952/django-rest-framework-isauthenticated-permission-error-anonymous-user) and got no answer and still have not solved it any help in it please ? — Ahmad Haidar, Dec 07 '17 at 14:33
sry i mean this [link](https://stackoverflow.com/questions/47677952/django-rest-framework-isauthenticated-permission-error-anonymous-user) — Ahmad Haidar, Dec 07 '17 at 14:37
If you use the token auth you mentioned above，you must enable the tokenauth in DRF settings. the session auth is mainly for same domain spa webapp — Hayden, Dec 08 '17 at 02:40
Thank you @Hayden but i'm setting it in DRF and its working fine on isAdminuser permission and not working on isauthenticated permission since anonymous user is always authenticated dont know why — Ahmad Haidar, Dec 08 '17 at 08:15

score 1 · Answer 1 · answered Sep 02 '18 at 14:56

There are actually many classes defined in django rest framework for validation purposes. What I guess in your case is that you will need the following set of decorators:

@api_view(['POST'])
@authentication_classes((TokenAuthentication,))
@permission_classes((IsAuthenticated,))

Considering you have set the header properly it wont be a problem with the above code.

score 0 · Answer 2 · answered Jan 06 '21 at 04:41

you can this do,

to stay safe and always ask the user for a token, and you don't need to call permission_classes, it will automatically be isAuthenticated

REST_FRAMEWORK = {
    DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
    ]
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.BasicAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
    ]
}

Django rest framework Anonymous user is always Authenticated

2 Answers2