diff --git a/django_basic_auth.py b/django_basic_auth.py
index 33dda66..ad40035 100644
--- a/django_basic_auth.py
+++ b/django_basic_auth.py
@@ -33,6 +33,9 @@ def view_or_basicauth(view, request, test_func, realm = "", *args, **kwargs):
                         request.user = user
                         if test_func(request.user):
                             return view(request, *args, **kwargs)
+                        else:
+                            # successfully authenticated but no permission
+                            return HttpResponse(status=403)
 
     # Either they did not provide an authorization header or
     # something in the authorization attempt failed. Send a 401