Matthias Schoettle

Indeed. My bad. I unfortunately don't know any solution except explicitly `cast()`ing `request` to an `authenticated_request` in the method body.

I found a case that supports `_SupportsHasPermission` instead of `BasePermission`: ```py def get_permissions(self) -> Sequence[_SupportsHasPermission]: if self.action == 'list': return [OR(IsAdminUser(), SomeOtherPermission())] return super().get_permissions() ```

I had to revert back to `Sequence`. Given that in some scenarios (see added test cases) `_SupportsHasPermission` has to be exposed I think it would be best to make it...

I ran into the same issue after monkeypatching `Field` and `GenericAPIView` that requests were always unauthenticated. The `Authorization` header is not present in `request.META`.

> What is the rationale for getting the user from the session cookie instead of request.user? I think it's because the request is unavailable in the signal handling. See #225....

@jheld Let me know what you think please. Happy to create a PR for this. The alternative would be to disable auth events to be watched in tests but it...

Awesome work! 👍

The one change I'd argue is helpful to extract into its own PR is the one for #263 since it is unrelated to package organization, CI etc.

Yes that makes sense. Here is what I suggest: * Create a separate PR that only fixes #263 (if it was a separate commit it could be cherry-picked onto a...

> > One general comment: It seems that there is an inconsistent use of single and double quotes right now. Cam `ruff-format` take care of this? Otherwise, we should include...