From 533bcd25da21aab8ae129adfd53a0d76a6b99ccb Mon Sep 17 00:00:00 2001
From: Vladimir Mencl <vladimir.mencl@reannz.co.nz>
Date: Fri, 11 Mar 2016 13:58:37 +1300
Subject: [PATCH] Return 403 when user logged in but no permission

---
 django_basic_auth.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/django_basic_auth.py b/django_basic_auth.py
index 33dda66..ad40035 100644
--- a/django_basic_auth.py
+++ b/django_basic_auth.py
@@ -33,6 +33,9 @@ def view_or_basicauth(view, request, test_func, realm = "", *args, **kwargs):
                         request.user = user
                         if test_func(request.user):
                             return view(request, *args, **kwargs)
+                        else:
+                            # successfully authenticated but no permission
+                            return HttpResponse(status=403)
 
     # Either they did not provide an authorization header or
     # something in the authorization attempt failed. Send a 401