Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API documentation templates do not check for user authentication #5162

Closed
5 of 6 tasks
ka7eh opened this issue May 22, 2017 · 0 comments · Fixed by #5189
Closed
5 of 6 tasks

API documentation templates do not check for user authentication #5162

ka7eh opened this issue May 22, 2017 · 0 comments · Fixed by #5189

Comments

@ka7eh
Copy link

ka7eh commented May 22, 2017

Checklist

  • I have verified that that issue exists against the master branch of Django REST framework.
  • I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
  • This is not a usage question. (Those should be directed to the discussion group instead.)
  • This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
  • I have reduced the issue to the simplest possible case.
  • I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

  • Set up an example project based on DRF tutorial. Set DEFAULT_PERMISSION_CLASSES to rest_framework.permissions.IsAdminUser.
  • Add the following to urls.py:
from rest_framework.documentation import include_docs_urls
url(r'^docs/', include_docs_urls(title='API Title', description='API description'))
  • Now start your server and access localhost:8000/docs as an unauthenticated user; you get an AttributeError instead of 403.

Expected behavior

Users should not be able to access docs for restricted views and should see a 403.

Actual behavior

The template (document.html) doesn't check if user is authenticated or not (for restricted views) and tries to render a non-existing document object.

@tomchristie tomchristie added this to the 3.6.4 Release milestone Jul 10, 2017
tomchristie added a commit that referenced this issue Jul 10, 2017
Fix API documentation templates do not check for user authentication #5162
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants