diff options
| author | Pierre Dulac | 2013-03-01 11:50:11 +0100 |
|---|---|---|
| committer | Pierre Dulac | 2013-03-01 11:50:11 +0100 |
| commit | aed3c13471deae6b2837b3799b4ca6615a5d172c (patch) | |
| tree | 13f3f0a7cb36923dd9dcd84374af1a93f6b30a24 /docs | |
| parent | d8f455bc0ff920e9e0cd1952f58b5a0eccdc2683 (diff) | |
| parent | 282af6057f30b5af4665d687200ee1ebf82fcf00 (diff) | |
| download | django-rest-framework-aed3c13471deae6b2837b3799b4ca6615a5d172c.tar.bz2 | |
Merge branch 'master' into oauth2-authentication
Conflicts:
rest_framework/tests/authentication.py
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/api-guide/authentication.md | 4 | ||||
| -rw-r--r-- | docs/topics/release-notes.md | 1 |
2 files changed, 3 insertions, 2 deletions
diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md index ba7c0c58..6a259500 100644 --- a/docs/api-guide/authentication.md +++ b/docs/api-guide/authentication.md @@ -10,7 +10,7 @@ Authentication is the mechanism of associating an incoming request with a set of REST framework provides a number of authentication schemes out of the box, and also allows you to implement custom schemes. -Authentication will run the first time either the `request.user` or `request.auth` properties are accessed, and determines how those properties are initialized. +Authentication is always run at the very start of the view, before the permission and throttling checks occur, and before any other code is allowed to proceed. The `request.user` property will typically be set to an instance of the `contrib.auth` package's `User` class. @@ -259,7 +259,7 @@ In some circumstances instead of returning `None`, you may want to raise an `Aut Typically the approach you should take is: * If authentication is not attempted, return `None`. Any other authentication schemes also in use will still be checked. -* If authentication is attempted but fails, raise a `AuthenticationFailed` exception. An error response will be returned immediately, without checking any other authentication schemes. +* If authentication is attempted but fails, raise a `AuthenticationFailed` exception. An error response will be returned immediately, regardless of any permissions checks, and without checking any other authentication schemes. You *may* also override the `.authenticate_header(self, request)` method. If implemented, it should return a string that will be used as the value of the `WWW-Authenticate` header in a `HTTP 401 Unauthorized` response. diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md index 06dc79a6..43499c9a 100644 --- a/docs/topics/release-notes.md +++ b/docs/topics/release-notes.md @@ -42,6 +42,7 @@ You can determine your currently installed version using `pip freeze`: ### Master +* Request authentication is no longer lazily evaluated, instead authentication is always run, which results in more consistent, obvious behavior. Eg. Supplying bad auth credentials will now always return an error response, even if no permissions are set on the view. * Bugfix for serializer data being uncacheable with pickle protocol 0. * Bugfixes for model field validation edge-cases. |