From cd3ce848d15e214a2b6149b49ed3530aec22eaa5 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Tue, 25 Sep 2018 12:30:15 +0200
Subject: [PATCH] Document permissions

---
 doc/api/deviceauth.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/doc/api/deviceauth.rst b/doc/api/deviceauth.rst
index 52f784afc1..1cd337b9c3 100644
--- a/doc/api/deviceauth.rst
+++ b/doc/api/deviceauth.rst
@@ -125,3 +125,13 @@ invalidate your API key. There is no way to reverse this operation.
    Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
 
 This can also be done by the user through the web interface.
+
+Permissions
+-----------
+
+Device authentication is currently hardcoded to grant the following permissions:
+
+* View event meta data and products etc.
+* View and change orders
+
+Devices cannot change events or products and cannot access vouchers.