From c8773671e7adfe8e9de162f3215470f0ed879f23 Mon Sep 17 00:00:00 2001
From: Denis Untevskiy <d.untevskiy@gmail.com>
Date: Fri, 25 Aug 2017 22:14:33 +0200
Subject: [PATCH] + Rejecting anonymous in DjangoModelPermissions *before* the
 .get_queryset call

---
 rest_framework/permissions.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index 57de3a35c..26728b2d6 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -120,6 +120,10 @@ class DjangoModelPermissions(BasePermission):
         if getattr(view, '_ignore_model_permissions', False):
             return True
 
+        if not request.user or (
+           not is_authenticated(request.user) and self.authenticated_users_only):
+            return False
+
         if hasattr(view, 'get_queryset'):
             queryset = view.get_queryset()
             assert queryset is not None, (
@@ -135,11 +139,7 @@ class DjangoModelPermissions(BasePermission):
 
         perms = self.get_required_permissions(request.method, queryset.model)
 
-        return (
-            request.user and
-            (is_authenticated(request.user) or not self.authenticated_users_only) and
-            request.user.has_perms(perms)
-        )
+        return request.user.has_perms(perms)
 
 
 class DjangoModelPermissionsOrAnonReadOnly(DjangoModelPermissions):