diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py
index 3a8c580646..16459b251f 100644
--- a/rest_framework/permissions.py
+++ b/rest_framework/permissions.py
@@ -78,8 +78,11 @@ def has_permission(self, request, view):
 
     def has_object_permission(self, request, view, obj):
         return (
-            self.op1.has_object_permission(request, view, obj) or
-            self.op2.has_object_permission(request, view, obj)
+            self.op1.has_permission(request, view)
+            and self.op1.has_object_permission(request, view, obj)
+        ) or (
+            self.op2.has_permission(request, view)
+            and self.op2.has_object_permission(request, view, obj)
         )
 
 
diff --git a/setup.cfg b/setup.cfg
index abb7cca908..0b0fec5a7e 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -6,7 +6,7 @@ addopts=--tb=short --strict -ra
 testspath = tests
 
 [flake8]
-ignore = E501,W504
+ignore = E501,W503,W504
 banned-modules = json = use from rest_framework.utils import json!
 
 [isort]
diff --git a/tests/test_permissions.py b/tests/test_permissions.py
index 4e6cae4b81..f00b57ec19 100644
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@@ -635,7 +635,7 @@ def test_object_or_lazyness(self):
                 composed_perm = (permissions.IsAuthenticated | permissions.AllowAny)
                 hasperm = composed_perm().has_object_permission(request, None, None)
                 assert hasperm is True
-                assert mock_deny.call_count == 1
+                assert mock_deny.call_count == 0
                 assert mock_allow.call_count == 1
 
     def test_and_lazyness(self):
@@ -677,3 +677,16 @@ def test_object_and_lazyness(self):
                 assert hasperm is False
                 assert mock_deny.call_count == 1
                 mock_allow.assert_not_called()
+
+    def test_unimplemented_has_object_permission(self):
+        "test for issue 6402 https://github.com/encode/django-rest-framework/issues/6402"
+        request = factory.get('/1', format='json')
+        request.user = AnonymousUser()
+
+        class IsAuthenticatedUserOwner(permissions.IsAuthenticated):
+            def has_object_permission(self, request, view, obj):
+                return True
+
+        composed_perm = (IsAuthenticatedUserOwner | permissions.IsAdminUser)
+        hasperm = composed_perm().has_object_permission(request, None, None)
+        assert hasperm is False