Closed
Description
Checklist
- I have verified that that issue exists against the
masterbranch of Django REST framework. - I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
- This is not a usage question. (Those should be directed to the discussion group instead.)
- This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
- I have reduced the issue to the simplest possible case.
- I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)
Steps to reproduce
- Set up an example project based on DRF tutorial. Set
DEFAULT_PERMISSION_CLASSEStorest_framework.permissions.IsAdminUser. - Add the following to
urls.py:
from rest_framework.documentation import include_docs_urls
url(r'^docs/', include_docs_urls(title='API Title', description='API description'))
- Now start your server and access
localhost:8000/docsas an unauthenticated user; you get anAttributeErrorinstead of 403.
Expected behavior
Users should not be able to access docs for restricted views and should see a 403.
Actual behavior
The template (document.html) doesn't check if user is authenticated or not (for restricted views) and tries to render a non-existing document object.