Deprecation warning for APIs that do not use auth

[ivanvenosdel]

Problem

When a site is using DRF without the need for authentication they will likely end up with a Django + 3rd party app list similar to this:

(
    'django.contrib.staticfiles',
    'rest_framework',
)

Now the problem is that any request to a URL using DRF will produce deprecation warnings from the use of ContentType, Permission, Group and User models from contrib.auth and contrib.contenttypes. Each warning looks similar to the following.

(snip).models.ContentType doesn't declare an explicit app_label and either isn't in an application in INSTALLED_APPS or else was imported before its application was loaded. This will no longer be supported in Django 1.9.
  class ContentType(models.Model):

I have confirmed that if Django 1.9a1 is used this warning turns into a runtime error:

Exception Type:     RuntimeError
Exception Value:    
Model class django.contrib.contenttypes.models.ContentType doesn't declare an explicit app_label and either isn't in an application in INSTALLED_APPS or else was imported before its application was loaded. 

Workaround

Use this REST_FRAMEWORK setting to disable the referencing of AnonymousUser

REST_FRAMEWORK = {
    'UNAUTHENTICATED_USER': None,
}

[lovelydinosaur]

Options:

1. Do nothing. We already provide for this use case with the UNAUTHENTICATED_USER setting.
2. Address the issue in Django core - allow AnonymousUser to be used without raising warnings.
3. Make the setting default depend on if django.contrib.auth is in INSTALLED_APPS or not.

[xordoquy]

Based on the fact that I love to have working defaults my opinion is:

• 2 is the best choice but will not fix already released django versions.
• 3 is a workaround meanwhile 2 is done (or a fallback if it's rejected).

[lovelydinosaur]

Not sure - I'm a bit lukewarm on 3, but perhaps.

[galuszkak]

Workaround doesn't work for me. Even if I set None for UNAUTHENTICATED_USER setting it still want me to have additional django.contrib packages.

  File "/home/ubuntu/venv/lib/python2.7/site-packages/rest_framework/request.py", line 193, in user
    self._authenticate()
  File "/home/ubuntu/venv/lib/python2.7/site-packages/rest_framework/request.py", line 326, in _authenticate
    self._not_authenticated()
  File "/home/ubuntu/venv/lib/python2.7/site-packages/rest_framework/request.py", line 337, in _not_authenticated
    if api_settings.UNAUTHENTICATED_USER:
  File "/home/ubuntu/venv/lib/python2.7/site-packages/rest_framework/settings.py", line 203, in __getattr__
    val = perform_import(val, attr)
  File "/home/ubuntu/venv/lib/python2.7/site-packages/rest_framework/settings.py", line 146, in perform_import
    return import_from_string(val, setting_name)
  File "/home/ubuntu/venv/lib/python2.7/site-packages/rest_framework/settings.py", line 160, in import_from_string
    module = importlib.import_module(module_path)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/home/ubuntu/venv/lib/python2.7/site-packages/django/contrib/auth/models.py", line 6, in <module>
    from django.contrib.contenttypes.models import ContentType
  File "/home/ubuntu/venv/lib/python2.7/site-packages/django/contrib/contenttypes/models.py", line 159, in <module>
    class ContentType(models.Model):
  File "/home/ubuntu/venv/lib/python2.7/site-packages/django/db/models/base.py", line 102, in __new__
    "INSTALLED_APPS." % (module, name)
RuntimeError: Model class django.contrib.contenttypes.models.ContentType doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS.

[xordoquy]

@galuszkak somehow you didn't as api_settings.UNAUTHENTICATED_USER is leading to importing Django's auth models.

[galuszkak]

@xordoquy in my settings I have:

REST_FRAMEWORK = {
    'DEFAULT_RENDERER_CLASSES': (
        'rest_framework_jsonp.renderers.JSONPRenderer',
    ),
    'EXCEPTION_HANDLER': 'rest_framework.views.exception_handler',
    'UNAUTHENTICATED_USER': None
}

So I'm pretty sure that I set that UNAUTHENTICATED_USER...

[akroushan]

@galuszkak Any luck on solving this?

[lovelydinosaur]

@akroushan The traceback above indicates that UNAUTHENTICATED_USER hadn't been set to None.

[galuszkak]

@tomchristie I show You settings that I set it to None, regardless of stacktrace that were my settings.

@akroushan I just went to have temporary sqlite database. Didn't had time to bother with that. I just added this django.contrib.auth even if I don't use it really at all.

[lovelydinosaur]

@galuszkak - I can see a snippet from a settings file, tho I can also see from the traceback that contrib.auth.models is being imported by api_settings.UNAUTHENTICATED_USER so I don't have any way of reconciling that unless I can see an example project that demonstrates the issue.

From my perspective of the "perhaps a different settings file was actually being used", or "perhaps the REST_FRAMEWORK settings had actually been overwritten else in the user project" are both viable options.

If someone can demonstrate how to replicate setting UNAUTHENTICATED_USER to None and still getting this error from REST framework's authentication, then we can investigate further. As it currently stands this remains a documentation issue. (Tho we could even do something nice like catch the runtime error and raise a helpful message in this particular case)

[galuszkak]

@tomchristie I will prepare example with not working solution.

[lovelydinosaur]

That'd be fab, thanks. 👍

[yourblue]

I have met the same question , did it figure out?