From df7b5a3952223993119d08654afcd18ef8d91b6f Mon Sep 17 00:00:00 2001 From: krmax44 Date: Fri, 8 Nov 2024 16:12:13 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=82=20allow=20creating/updating=20via?= =?UTF-8?q?=20api=20also=20with=20regular=20authentication,=20not=20just?= =?UTF-8?q?=20tokens?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit otherwise, we'd have to generate a token for our frontend --- froide/foirequest/auth.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/froide/foirequest/auth.py b/froide/foirequest/auth.py index 698970604..1d6eba0a1 100644 --- a/froide/foirequest/auth.py +++ b/froide/foirequest/auth.py @@ -366,6 +366,8 @@ class CreateOnlyWithScopePermission(TokenHasScope): def has_permission(self, request, view): if view.action not in ("create", "update"): return True - if not request.user.is_authenticated: - return False + if request.user.is_authenticated and request.auth is None: + # allow api use with session authentication + # see https://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication + return True return super().has_permission(request, view)