We currently have the IsAuthenticatedOrReadOnly permission class provided by DRF as the default permission class. This allows GET, HEAD, and OPTIONS operations from unauthenticated users, which we don't want in some cases (e.g. we want the requests endpoint to be viewable only to authorized users).
When the permission class for EquipmentRequestViewSet is set to IsAuthenticated (i.e. all operations require authentication), we get a CORS error when POSTing. This isn't an issue in Postman but it does happen in the browser. The reason is that a pre-flight OPTIONS request is sent before POST by the browser, which doesn't have any authentication information.
This will also help us streamline adding CORS headers in local testing to allow a frontend at localhost:3000 to access the API on localhost:8000. Currently, we specify our own middleware in tutvwebsite/middleware.py, but it can be replaced by adding django_cors_headers settings in settings/local.py.
We currently have the
IsAuthenticatedOrReadOnlypermission class provided by DRF as the default permission class. This allowsGET,HEAD, andOPTIONSoperations from unauthenticated users, which we don't want in some cases (e.g. we want therequestsendpoint to be viewable only to authorized users).When the permission class for EquipmentRequestViewSet is set to
IsAuthenticated(i.e. all operations require authentication), we get a CORS error when POSTing. This isn't an issue in Postman but it does happen in the browser. The reason is that a pre-flightOPTIONSrequest is sent before POST by the browser, which doesn't have any authentication information.This issue is identified here: https://github.com/encode/django-rest-framework/issues/5616. It seems that the verdict is that rather than writing a custom permission class that allows all
OPTIONSrequests, it's better to usedjango_cors_headers: https://github.com/adamchainz/django-cors-headersThis will also help us streamline adding CORS headers in local testing to allow a frontend at
localhost:3000to access the API onlocalhost:8000. Currently, we specify our own middleware intutvwebsite/middleware.py, but it can be replaced by addingdjango_cors_headerssettings insettings/local.py.