added test for #5127

tests/browsable_api/test_browsable_api.py

@@ -3,7 +3,50 @@ from __future__ import unicode_literals
 from django.contrib.auth.models import User
 from django.test import TestCase, override_settings
 
-from rest_framework.test import APIClient
+from rest_framework import permissions, renderers, serializers, viewsets
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.test import APIClient, APIRequestFactory
+from tests.models import BasicModel
+
+factory = APIRequestFactory()
+
+
+class BasicSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = BasicModel
+        fields = '__all__'
+
+
+class OrganizationPermissions(permissions.BasePermission):
+    def has_object_permission(self, request, view, obj):
+        return request.user.is_staff or (request.user == obj.owner.organization_user.user)
+
+
+class StandardModelView(viewsets.ModelViewSet):
+    queryset = BasicModel.objects.all()
+    serializer_class = BasicSerializer
+    permission_classes = [IsAuthenticated, OrganizationPermissions]
+    renderer_classes = (renderers.BrowsableAPIRenderer, renderers.JSONRenderer)
+
+    def get_queryset(self):
+        qs = super().get_queryset().filter(users=self.request.user)
+        return qs
+
+
+@override_settings(ROOT_URLCONF='tests.browsable_api.auth_urls')
+class AnonymousUserTests(TestCase):
+    """Tests correct handling of anonymous user request on endpoints with IsAuthenticated permission class."""
+    def setUp(self):
+        self.client = APIClient(enforce_csrf_checks=True)
+
+    def tearDown(self):
+        self.client.logout()
+
+    def test_factory_returns_403(self):
+        view = StandardModelView.as_view({'get': 'list'})
+        request = factory.get('/')
+        response = view(request).render()
+        self.assertTrue(response.status_code == 403, msg=response.status_code)
 
 
 @override_settings(ROOT_URLCONF='tests.browsable_api.auth_urls')