Conflicting server responses

I have this application and people can create project. They can then also delete a project. The action works and the project is deleted correctly. Why would I get this conflicting server response? It says I do not have access then it changes its mind and allows me to go ahead and delete a project.

This is the view I am using to delete the project. The projects pk is sent via the url:

class DeleteProject(generics.DestroyAPIView):
    permission_classes = [IsAuthenticated]
    serializer_class = UpdateProjectSerializer    
    queryset = Project.objects.all()

Here is the server response:


Why deny but then allow access if I am logged in for sure?

What authentication mecanism are you using?

I suppose you have DEFAULT_AUTHENTICATION_CLASSES defined in your REST_FRAMEWORK setting. What does it contain ?

Who is issuing the two requests (the one that get a 401 response and the one that get a 201 response) ?

Can you check on the client side what is sent in both requests headers ?