Views decorators ordering

[fdevillard]

The views decorators' order matters. Indeed,

    @api_view(['GET'])
    @permission_classes([IsAuthenticated])
    def my_view(request):
        pass

is different from:

    @permission_classes([IsAuthenticated])
    @api_view(['GET'])
    def my_view(request):
        pass

This is clearly stated in the documentation (https://www.django-rest-framework.org/api-guide/views/#api-policy-decorators). Nevertheless, I find it easy to miss and it may have security implication too.

Shouldn't the latter throw an exception, as it may have security implication? If not, is anyone aware of a linter to avoid such error?

If needed, I've created a repo to illustrate this: https://github.com/fdevillard/drf-decorator-ordering-demo

Thanks ! :)

[browniebroke]

Thanks fo the clear description and the example reproducing the problem. The order indeed matter, and I find the documentation pretty clear on that.

I think raising an exception (e.g. ImproperlyConfigured? ) in case of misuse would be a nice improvement, that could prevent mistakes with security implications. I'm a bit worried that this goes beyond our maintenance policy, though. The exception would be raised at import time, rather than at runtime when the view serves a request.

If we do it, we should add it to all the API policy decorators.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.