From 13b3af0d22bdbae5be0eb39ea50219c1fb83e28f Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 28 Feb 2013 17:58:58 +0000
Subject: Auth is no longer lazy.  Closes #667.

More consistent auth failure behavior.
---
 docs/api-guide/authentication.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs')

diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md
index 342fabe7..fae86386 100644
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@@ -10,7 +10,7 @@ Authentication is the mechanism of associating an incoming request with a set of
 
 REST framework provides a number of authentication schemes out of the box, and also allows you to implement custom schemes.
 
-Authentication will run the first time either the `request.user` or `request.auth` properties are accessed, and determines how those properties are initialized.
+Authentication is always run at the very start of the view, before the permission and throttling checks occur, and before any other code is allowed to proceed.
 
 The `request.user` property will typically be set to an instance of the `contrib.auth` package's `User` class.
 
@@ -191,7 +191,7 @@ In some circumstances instead of returning `None`, you may want to raise an `Aut
 Typically the approach you should take is:
 
 * If authentication is not attempted, return `None`.  Any other authentication schemes also in use will still be checked.
-* If authentication is attempted but fails, raise a `AuthenticationFailed` exception.  An error response will be returned immediately, without checking any other authentication schemes.
+* If authentication is attempted but fails, raise a `AuthenticationFailed` exception.  An error response will be returned immediately, regardless of any permissions checks, and without checking any other authentication schemes.
 
 You *may* also override the `.authenticate_header(self, request)` method.  If implemented, it should return a string that will be used as the value of the `WWW-Authenticate` header in a `HTTP 401 Unauthorized` response.
 
-- 
cgit v1.2.3


From 282af6057f30b5af4665d687200ee1ebf82fcf00 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Thu, 28 Feb 2013 18:02:10 +0000
Subject: Release notes

---
 docs/topics/release-notes.md | 1 +
 1 file changed, 1 insertion(+)

(limited to 'docs')

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index 06dc79a6..43499c9a 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -42,6 +42,7 @@ You can determine your currently installed version using `pip freeze`:
 
 ### Master
 
+* Request authentication is no longer lazily evaluated, instead authentication is always run, which results in more consistent, obvious behavior.  Eg. Supplying bad auth credentials will now always return an error response, even if no permissions are set on the view.
 * Bugfix for serializer data being uncacheable with pickle protocol 0.
 * Bugfixes for model field validation edge-cases.
 
-- 
cgit v1.2.3