AlanCoding
commented
2 months ago I would model the docs after this:
https://github.com/ansible/eda-server/blob/main/src/aap_eda/settings/default.py#L325-L328
Closed relrod closed 1 month ago
AlanCoding
commented
2 months ago I would model the docs after this:
https://github.com/ansible/eda-server/blob/main/src/aap_eda/settings/default.py#L325-L328
relrod
commented
2 months ago @AlanCoding I reworked this a bit and made it require IsAuthenticated too. I am curious on your thoughts here. I guess the downside is that it places a restriction in that you can't just include this permission class everywhere -- but the views that don't require IsAuthenticated and should be fully public will need to set their permission_classes to avoid that anyway.
So I don't think there's anything lost by doing this, and I think there's an added security gain because I think requiring IsAuthenticated follows the principle of least surprise.
AlanCoding
commented
2 months ago Sure, only concern is that, as in the eda-server case (link above), some apps may list both IsAuthenticated and other permission classes. So the DAB class here should make it clear that IsAuthenticated is redundant, and should not be listed.
sonarcloud[bot]
commented
2 months ago 
Quality Gate passedIssues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code
Provide a DRF permission class for ensuring that token scopes are adhered to, based on the upstream DOT permission classes.