🛂 allow creating/updating via api also with regular authentication, n…

…ot just tokens otherwise, we'd have to generate a token for our frontend
okfde · Nov 18, 2024 · df7b5a3 · df7b5a3
1 parent be6021a
commit df7b5a3
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/froide/foirequest/auth.py b/froide/foirequest/auth.py
@@ -366,6 +366,8 @@ class CreateOnlyWithScopePermission(TokenHasScope):
     def has_permission(self, request, view):
         if view.action not in ("create", "update"):
             return True
-        if not request.user.is_authenticated:
-            return False
+        if request.user.is_authenticated and request.auth is None:
+            # allow api use with session authentication
+            # see https://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication
+            return True
         return super().has_permission(request, view)