OAuth: Add profile-only access

2026-05-03 14:54:04 +00:00 · 2020-09-28 16:01:59 +02:00
parent ae0637a3d6
commit 3cbcf663e5
8 changed files with 92 additions and 24 deletions
--- a/src/pretix/api/auth/permission.py
+++ b/src/pretix/api/auth/permission.py
@@ -84,3 +84,15 @@ class EventCRUDPermission(EventPermission):
            return False

        return True
+
+
+class ProfilePermission(BasePermission):
+
+    def has_permission(self, request, view):
+        if not request.user.is_authenticated:
+            return False
+
+        if isinstance(request.auth, OAuthAccessToken):
+            if not (request.auth.allow_scopes(['read']) or request.auth.allow_scopes(['profile'])) and request.method in SAFE_METHODS:
+                return False
+        return True