check oauth_scopes in _every_ view

see: https://github.com/ansible/tower/issues/2759
2026-02-18 03:30:02 -03:30 · 2018-08-06 09:43:58 -04:00
parent fc589389fc
commit ec735b7b47
2 changed files with 6 additions and 2 deletions
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -327,6 +327,12 @@ class APIView(views.APIView):
                kwargs.pop('version')
        return super(APIView, self).dispatch(request, *args, **kwargs)

+    def check_permissions(self, request):
+        if request.method not in ('GET', 'OPTIONS', 'HEAD'):
+            if 'write' not in getattr(request.user, 'oauth_scopes', ['write']):
+                raise PermissionDenied()
+        return super(APIView, self).check_permissions(request)
+

 class GenericAPIView(generics.GenericAPIView, APIView):
    # Base class for all model-based views.