Permissions in /api compared to /admin

[bryan-brancotte]

Hi !

I need your opinion on this @hmenager @thomasrosnet

When a user wants to edit an object trough /api, we use the permissions specified in the class to test whether the user can or cannot edit the object. When the same user wants to do it through /admin we also check if the user is granted on the model by django permissions.

This means :

• a user can have more rights in /api than in /admin.
• a user that have just created an account can create a team without needing to wait for an admin to grant him/her the permission

We thus have to chose between :

• strictly the same rights between /api /admin and user who cannot create new objects unless an admin allows it
• /api does not use model permission, user can directly add new objects, but have to be granted to do it in the admin interface
• not use model permission at all, juste permissions we create in permissions.py (PubliclyReadableEditableByLeader, ...) and thus have strictly the same rights between /api /admin

[bryan-brancotte]

...and my opinion on this matter is that we should allows all admins to edit in /admin everything they already can in /api

[bryan-brancotte]

The patch doing the first very strict option
git apply /tmp/patch.txt
patch.txt