Tutorial Part 4 assumes default Auth in settings.py

[Rob Banagale]

DRF Beginner here. 

I got stuck last night in DRF Tutorial Part 4 trying to get SnippetList and SnippetDetail views to accurately render based on user authentication.

In the Adding required permissions to views section, it suggests adding the permission_classes property to the two views.

permission_classes = (permissions.IsAuthenticatedOrReadOnly,)

The next section, Adding login to the Browsable API begins: "If you open a browser and navigate to the browsable API at the moment, you'll find that you're no longer able to create new code snippets."

I found this was not true based on following the tutorial. Through trial and error, I found that I had neglected to include DEFAULT_PERMISSION_CLASSES and DEFAULT_AUTHENTICATION_CLASSES in my REST_FRAMEWORK in settings.py.

Specifically:

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticatedOrReadOnly',
    ),
   'DEFAULT_AUTHENTICATION_CLASSES': (
    'rest_framework.authentication.BasicAuthentication',
    'rest_framework.authentication.SessionAuthentication',
    ),
}

Two questions for feedback:

1. Am I correct in identifying that DEFAULT_AUTHENTICATION_CLASSES must be set in order for the permission_classes property to take effect on the intended views of the tutorial? 
   
2. Would it be helpful for this tutorial to mention that default permission classes for all views can be set in settings?
   

[RB]

Ok, it looks like I confused myself before. 

Only the DEFAULT_PERMISSION_CLASSES set in settings.py is being picked up.  When I set the additional permission_classses property in one of my APIView classes it is ignored.

I'm confounded by why my API classes are ignoring the permission_classes property I'm setting.

Can anyone suggest a way to troubleshoot a DRF class based view that won't seem to acknowledge the permissions_classes property?

I can change the default_permission_classes and the API renders as expected by various settings.

[RB]

After pulling out what limited hair I have left, I figured it out.

Early in my experimentation I had defined a router in my urls.py that was routing my intended API view URL to a viewset class I had defined. I  did not have the permissions property on it.

So the answer to my original questions are:

1. No, it is not necessary to set default permission classes in settings.py in order to do individual permission settings on class based views.

2. Yes, I think it would be useful to at least mention in tutorial part 4 that it is is possible to do a class-wide permission or authentication setting. It is in the details of Permissions and Authentication but still might make the tutorial more useful.

The mistake in my troubleshooting was that everything was working as expected and declared in the tutorial. I needed to look outside the problem.