Closed relrod closed 1 month ago
I would model the docs after this:
https://github.com/ansible/eda-server/blob/main/src/aap_eda/settings/default.py#L325-L328
@AlanCoding I reworked this a bit and made it require IsAuthenticated
too. I am curious on your thoughts here. I guess the downside is that it places a restriction in that you can't just include this permission class everywhere -- but the views that don't require IsAuthenticated
and should be fully public will need to set their permission_classes to avoid that anyway.
So I don't think there's anything lost by doing this, and I think there's an added security gain because I think requiring IsAuthenticated
follows the principle of least surprise.
Sure, only concern is that, as in the eda-server case (link above), some apps may list both IsAuthenticated
and other permission classes. So the DAB class here should make it clear that IsAuthenticated
is redundant, and should not be listed.
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code
Provide a DRF permission class for ensuring that token scopes are adhered to, based on the upstream DOT permission classes.