rsinger86
commented
2 years ago Good question :)
I had forgotten why, but going back over the commit history there was a point where we decided to support an edge case where the request.user is None due to the project not using Django's authentication middleware.
To make it work in this case, I added a custom AnonymousUser object here: https://github.com/rsinger86/drf-access-policy/blob/master/rest_access_policy/access_policy.py#L14
This could be updated to have the same interface as Django's AnonymousUser.
Hey @rsinger86,
After reading the code a bit, I stumbled across the code for matching principal on statements. I found out the code at access_policy.py line 142 that the "authenticated" value for principal checks that the user is not anonymous instead of actually whether it is authenticated or not.
Out of curiosity, why is that implemented like so and not using built-in "is_authenticated"? Is there a difference?
Thank you!