Add device security profiles (#1806)

src/pretix/api/auth/device.py

@@ -3,6 +3,9 @@ from django_scopes import scopes_disabled
 from rest_framework import exceptions
 from rest_framework.authentication import TokenAuthentication
 
+from pretix.api.auth.devicesecurity import (
+    DEVICE_SECURITY_PROFILES, FullAccessSecurityProfile,
+)
 from pretix.base.models import Device
 
 
@@ -25,3 +28,11 @@ class DeviceTokenAuthentication(TokenAuthentication):
             raise exceptions.AuthenticationFailed('Device access has been revoked.')
 
         return AnonymousUser(), device
+
+    def authenticate(self, request):
+        r = super().authenticate(request)
+        if r and isinstance(r[1], Device):
+            profile = DEVICE_SECURITY_PROFILES.get(r[1].security_profile, FullAccessSecurityProfile)
+            if not profile.is_allowed(request):
+                raise exceptions.PermissionDenied('Request denied by device security profile.')
+        return r