From 605cedca7897a02e2d586ddf6ff1999a3e16fd1c Mon Sep 17 00:00:00 2001
From: Matt Westcott <matt@west.co.tt>
Date: Tue, 22 Oct 2019 12:38:09 +0100
Subject: [PATCH] Ensure admin API always uses SessionAuthentication backend

Fixes #5585 and (at least partly) #5628
---
 wagtail/admin/api/endpoints.py |  3 +++
 wagtail/tests/settings.py      | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/wagtail/admin/api/endpoints.py b/wagtail/admin/api/endpoints.py
index ba76c5e26..ba9206df6 100644
--- a/wagtail/admin/api/endpoints.py
+++ b/wagtail/admin/api/endpoints.py
@@ -1,5 +1,7 @@
 from collections import OrderedDict
 
+from rest_framework.authentication import SessionAuthentication
+
 from wagtail.api.v2.endpoints import PagesAPIEndpoint
 from wagtail.api.v2.filters import (
     ChildOfFilter, DescendantOfFilter, FieldsFilter, ForExplorerFilter, OrderingFilter,
@@ -13,6 +15,7 @@ from .serializers import AdminPageSerializer
 
 class PagesAdminAPIEndpoint(PagesAPIEndpoint):
     base_serializer_class = AdminPageSerializer
+    authentication_classes = [SessionAuthentication]
 
     # Use unrestricted child_of/descendant_of filters
     # Add has_children filter
diff --git a/wagtail/tests/settings.py b/wagtail/tests/settings.py
index a7718cc90..f4bee8c7f 100644
--- a/wagtail/tests/settings.py
+++ b/wagtail/tests/settings.py
@@ -220,3 +220,13 @@ WAGTAILADMIN_RICH_TEXT_EDITORS = {
         'WIDGET': 'wagtail.tests.testapp.rich_text.CustomRichTextArea'
     },
 }
+
+
+# Set a non-standard DEFAULT_AUTHENTICATION_CLASSES value, to verify that the
+# admin API still works with session-based auth regardless of this setting
+# (see https://github.com/wagtail/wagtail/issues/5585)
+REST_FRAMEWORK = {
+    'DEFAULT_AUTHENTICATION_CLASSES': [
+        'rest_framework.authentication.BasicAuthentication',
+    ]
+}