From b236241982b95a35cdb251e5020004050fb6567a Mon Sep 17 00:00:00 2001
From: Camille Harang <mammique@yooook.net>
Date: Sat, 11 Feb 2012 01:54:28 +0100
Subject: [PATCH] check authentication after checking ModelResource

---
 djangorestframework/permissions.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/djangorestframework/permissions.py b/djangorestframework/permissions.py
index 100a976e1..92e90fc38 100644
--- a/djangorestframework/permissions.py
+++ b/djangorestframework/permissions.py
@@ -99,16 +99,16 @@ class DjangoModelPermisson(BasePermission):
         if self.view.request.method in ('GET', 'OPTIONS', 'HEAD',):
             return
 
-        # User must be logged in to check permissions.
-        if not hasattr(self.view.request, 'user') or not self.view.request.user.is_authenticated():
-            raise _403_FORBIDDEN_RESPONSE
-
         klass = self.view.resource.model
 
         # If it doesn't look like a model, we can't check permissions.
         if not klass or not getattr(klass, '_meta', None):
             return
 
+        # User must be logged in to check permissions.
+        if not hasattr(self.view.request, 'user') or not self.view.request.user.is_authenticated():
+            raise _403_FORBIDDEN_RESPONSE
+
         permission_map = {
             'POST': ['%s.add_%s'],
             'PUT': ['%s.change_%s'],