A typical view can respond with 403 when a users is not authenticated or does not have the necessary permissions and with 404 if the requested object does not exist.
It is important to get the order of those checks right. Responding with 404 too early can leak the existance of objects.
Studies are special because we need them in order to check permissions in study context. So the correct order is:
The order of (2)-(4) works fine. (1) is also guarenteed to be first thanks to django-stronghold. However, for API views we disable django-stronghold and use custom authentication.
That custom authentication is run during
dispatch() while the study is
setup(), so this is actually the wrong way around.
I have some ideas how to implement this:
I first went with the dispatch approach and did some related refactoring. In the end I switched to the third approach but liked the refactoring anyway, so I left it in.