Revert "rest: Simplify authentication error handling."

This reverts commit 1f90a31fa3.

zerver/lib/rest.py

@@ -140,15 +140,18 @@ def rest_dispatch(request: HttpRequest, **kwargs: Any) -> HttpResponse:
             target_function = authenticated_rest_api_view(
                 is_webhook='allow_incoming_webhooks' in view_flags,
             )(target_function)
-        elif request.path.startswith("/json") and 'allow_anonymous_user_web' in view_flags:
+        # Pick a way to tell user they're not authed based on how the request was made
-            # For endpoints that support anonymous web access, we do that.
+        else:
+            # Logged out user accessing an endpoint with anonymous user access on JSON; proceed.
+            # `allow_anonymous_user_web` calls are only restricted to /json calls used
+            # by our webapp.
             # TODO: Allow /api calls when this is stable enough.
+            if request.path.startswith("/json") and 'allow_anonymous_user_web' in view_flags:
                 auth_kwargs = dict(allow_unauthenticated=True)
                 target_function = csrf_protect(authenticated_json_view(
                     target_function, **auth_kwargs))
             else:
-            # Otherwise, throw an authentication error; our middleware
+                # Don't allow anonymous queries to endpoints witout `allow_anonymous_user_web` flag.
-            # will generate the appropriate HTTP response.
                 raise MissingAuthenticationError()
 
         if request.method not in ["GET", "POST"]: