We currently have the IsAuthenticatedOrReadOnly permission class provided by DRF as the default permission class. This allows GET, HEAD, and OPTIONS operations from unauthenticated users, which we don't want in some cases (e.g. we want the requests endpoint to be viewable only to authorized users).
When the permission class for EquipmentRequestViewSet is set to IsAuthenticated (i.e. all operations require authentication), we get a CORS error when POSTing. This isn't an issue in Postman but it does happen in the browser. The reason is that a pre-flight OPTIONS request is sent before POST by the browser, which doesn't have any authentication information.
This will also help us streamline adding CORS headers in local testing to allow a frontend at localhost:3000 to access the API on localhost:8000. Currently, we specify our own middleware in tutvwebsite/middleware.py, but it can be replaced by adding django_cors_headers settings in settings/local.py.
We currently have the
IsAuthenticatedOrReadOnly
permission class provided by DRF as the default permission class. This allowsGET
,HEAD
, andOPTIONS
operations from unauthenticated users, which we don't want in some cases (e.g. we want therequests
endpoint to be viewable only to authorized users).When the permission class for EquipmentRequestViewSet is set to
IsAuthenticated
(i.e. all operations require authentication), we get a CORS error when POSTing. This isn't an issue in Postman but it does happen in the browser. The reason is that a pre-flightOPTIONS
request is sent before POST by the browser, which doesn't have any authentication information.This issue is identified here: https://github.com/encode/django-rest-framework/issues/5616. It seems that the verdict is that rather than writing a custom permission class that allows all
OPTIONS
requests, it's better to usedjango_cors_headers
: https://github.com/adamchainz/django-cors-headersThis will also help us streamline adding CORS headers in local testing to allow a frontend at
localhost:3000
to access the API onlocalhost:8000
. Currently, we specify our own middleware intutvwebsite/middleware.py
, but it can be replaced by addingdjango_cors_headers
settings insettings/local.py
.