I want to use DRF's rest_framework.authentication.BasicAuthentication to develop my SPA with a dev server while consuming data from a locally running backend.
I included rest_framework.authentication.BasicAuthentication in settings.py. I have a view which requires Permission (guardian.mixins.PermissionRequiredMixin):
class WidgetDetail(PermissionRequiredMixin, RetrieveAPIView):
serializer_class = WidgetSerializer
permission_required = "widget.view_widget"
return_403 = True
If I try to GET the widget using basic auth, the view returns an error 403. Using the debugger, I can see that when PermissionRequiredMixin.check_permissions() is run, request.user is AnonymousUser rather than the user provided by basic auth as DRF's documentation indicates.
Why is the user provided by basic auth not identified when permissions are checked?