From 1b0cbaabb4c9ed70e06559039780f8e94b78f163 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B3n=20Levy?= <nonni@nonni.cc>
Date: Sat, 13 Apr 2019 16:49:15 +0000
Subject: [PATCH] added test for #5127

---
 tests/browsable_api/test_browsable_api.py | 45 ++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/tests/browsable_api/test_browsable_api.py b/tests/browsable_api/test_browsable_api.py
index 684d7ae14..7171f01f3 100644
--- a/tests/browsable_api/test_browsable_api.py
+++ b/tests/browsable_api/test_browsable_api.py
@@ -3,7 +3,50 @@ from __future__ import unicode_literals
 from django.contrib.auth.models import User
 from django.test import TestCase, override_settings
 
-from rest_framework.test import APIClient
+from rest_framework import permissions, renderers, serializers, viewsets
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.test import APIClient, APIRequestFactory
+from tests.models import BasicModel
+
+factory = APIRequestFactory()
+
+
+class BasicSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = BasicModel
+        fields = '__all__'
+
+
+class OrganizationPermissions(permissions.BasePermission):
+    def has_object_permission(self, request, view, obj):
+        return request.user.is_staff or (request.user == obj.owner.organization_user.user)
+
+
+class StandardModelView(viewsets.ModelViewSet):
+    queryset = BasicModel.objects.all()
+    serializer_class = BasicSerializer
+    permission_classes = [IsAuthenticated, OrganizationPermissions]
+    renderer_classes = (renderers.BrowsableAPIRenderer, renderers.JSONRenderer)
+
+    def get_queryset(self):
+        qs = super().get_queryset().filter(users=self.request.user)
+        return qs
+
+
+@override_settings(ROOT_URLCONF='tests.browsable_api.auth_urls')
+class AnonymousUserTests(TestCase):
+    """Tests correct handling of anonymous user request on endpoints with IsAuthenticated permission class."""
+    def setUp(self):
+        self.client = APIClient(enforce_csrf_checks=True)
+
+    def tearDown(self):
+        self.client.logout()
+
+    def test_factory_returns_403(self):
+        view = StandardModelView.as_view({'get': 'list'})
+        request = factory.get('/')
+        response = view(request).render()
+        self.assertTrue(response.status_code == 403, msg=response.status_code)
 
 
 @override_settings(ROOT_URLCONF='tests.browsable_api.auth_urls')