I'm using drf and oauth toolkit with IsAuthenticatedOrTokenHasScope permissions as default. I have a view that contains scopes
required_scopes = ['mod', 'admin']
When users logs into the app he have special groups which define his permission scope. So when the moderator logs into the app he gets mod
scope. When he calls my view he gets 403 because allow_scopes
in AccessToken model returns False. That is because the resource_scopes
is ['mod', 'admin'] and provided_scopes is 'mod'. When method allow_scopes
checks resource_scopes.issubset(provided_scopes)
she returns False which is not intentional in my case.
Is there any other option without overwriting allow_scopes in AccessToken model to define that this view needs scope mod
or scope admin
. ?
I think I found a way to get this to work. The
oauth2_provider
doesn't provided any function to achieve this. So, what I did was I defined my own custom permission which is similar to theTokenHasScope
. So, create a file calledpermissions.py
and paste the codeThen in your view, import permissions and set it accordingly
In the custom
TokenHasAtLeastOneScope
above, the code is similar toTokenHasScope
. The only line that changes isWhich loop through the items in your
required_scopes
list and if it finds a valid scope, it returns True.