Add AllowAny to endpoints that should be available without Auth

Author: Oksamies

django/thunderstore/frontend/api/experimental/views/community_package_list.py

@@ -7,6 +7,7 @@
 from rest_framework import status
 from rest_framework.exceptions import ParseError
 from rest_framework.generics import get_object_or_404
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -27,7 +28,7 @@ class CommunityPackageListApiView(APIView):
     Return paginated list of community's packages.
     """
 
-    permission_classes = []
+    permission_classes = [AllowAny]
 
     @swagger_auto_schema(
         responses={200: CommunityPackageListSerializer()},

django/thunderstore/frontend/api/experimental/views/frontpage.py

@@ -1,6 +1,7 @@
 from django.db.models import QuerySet
 from django.http import HttpRequest, HttpResponse
 from drf_yasg.utils import swagger_auto_schema
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -15,7 +16,7 @@ class FrontPageApiView(APIView):
     Return information required to render the site's front page.
     """
 
-    permission_classes = []
+    permission_classes = [AllowAny]
 
     @swagger_auto_schema(
         responses={200: FrontPageContentSerializer()},

django/thunderstore/frontend/api/experimental/views/markdown.py

@@ -1,5 +1,6 @@
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework import status
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -12,7 +13,7 @@
 
 class RenderMarkdownApiView(APIView):
     serializer_class = RenderMarkdownResponseSerializer
-    permission_classes = []
+    permission_classes = [AllowAny]
 
     @swagger_auto_schema(
         request_body=RenderMarkdownParamsSerializer,

django/thunderstore/frontend/api/experimental/views/package_details.py

@@ -3,6 +3,7 @@
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework import status
 from rest_framework.generics import get_object_or_404
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -21,7 +22,7 @@ class PackageDetailApiView(APIView):
     Return details about a single Package.
     """
 
-    permission_classes = []
+    permission_classes = [AllowAny]
 
     @swagger_auto_schema(
         responses={200: PackageDetailViewContentSerializer()},

django/thunderstore/modpacks/api/experimental/views/legacyprofile.py

@@ -5,6 +5,7 @@
 from rest_framework import serializers, status
 from rest_framework.exceptions import NotFound, ValidationError
 from rest_framework.parsers import FileUploadParser
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.throttling import UserRateThrottle
 from rest_framework.views import APIView
@@ -30,7 +31,7 @@ def get_rate(self) -> str:
 
 
 class LegacyProfileCreateApiView(APIView):
-    permission_classes = []
+    permission_classes = [AllowAny]
     parser_classes = [LegacyProfileFileUploadParser]
     throttle_classes = [LegacyProfileCreateThrottle]
 
@@ -54,7 +55,7 @@ def post(self, request, *args, **kwargs):
 
 
 class LegacyProfileRetrieveApiView(APIView):
-    permission_classes = []
+    permission_classes = [AllowAny]
 
     @swagger_auto_schema(
         responses={200: Schema(title="content", type=TYPE_FILE)},

django/thunderstore/repository/api/experimental/views/package.py

@@ -3,6 +3,7 @@
 from rest_framework.exceptions import ValidationError
 from rest_framework.generics import ListAPIView, RetrieveAPIView, get_object_or_404
 from rest_framework.pagination import CursorPagination
+from rest_framework.permissions import AllowAny
 
 from thunderstore.cache.cache import ManualCacheCommunityMixin
 from thunderstore.cache.enums import CacheBustCondition
@@ -49,6 +50,7 @@ class PackageListApiView(ManualCacheCommunityMixin, ListAPIView):
     Lists all available packages
     """
 
+    permission_classes = [AllowAny]
     cache_until = CacheBustCondition.any_package_updated
     serializer_class = PackageSerializerExperimental
     pagination_class = CustomCursorPagination
@@ -69,6 +71,7 @@ class PackageDetailApiView(ManualCacheCommunityMixin, RetrieveAPIView):
     Get a single package
     """
 
+    permission_classes = [AllowAny]
     cache_until = CacheBustCondition.any_package_updated
     serializer_class = PackageSerializerExperimental
 

django/thunderstore/repository/api/experimental/views/package_index.py

@@ -7,6 +7,7 @@
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework import serializers
 from rest_framework.exceptions import APIException
+from rest_framework.permissions import AllowAny
 from rest_framework.renderers import JSONRenderer
 from rest_framework.views import APIView
 from sentry_sdk import capture_exception
@@ -81,6 +82,8 @@ class PackageIndexApiView(APIView):
     newline delimited JSON.
     """
 
+    permission_classes = [AllowAny]
+
     @swagger_auto_schema(
         tags=["experimental"],
         responses={200: PackageIndexEntry(many=True)},

django/thunderstore/repository/api/experimental/views/package_version.py

@@ -1,6 +1,7 @@
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework.exceptions import ValidationError
 from rest_framework.generics import RetrieveAPIView, get_object_or_404
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 
 from thunderstore.cache.cache import ManualCacheCommunityMixin
@@ -59,6 +60,7 @@ class PackageVersionDetailApiView(PackageVersionDetailMixin):
     Get a single package version
     """
 
+    permission_classes = [AllowAny]
     serializer_class = PackageVersionSerializerExperimental
 
     @swagger_auto_schema(
@@ -74,6 +76,7 @@ class PackageVersionChangelogApiView(PackageVersionDetailMixin):
     Get a package verion's changelog
     """
 
+    permission_classes = [AllowAny]
     serializer_class = MarkdownResponseSerializer
 
     @swagger_auto_schema(
@@ -94,6 +97,7 @@ class PackageVersionReadmeApiView(PackageVersionDetailMixin):
     Get a package verion's readme
     """
 
+    permission_classes = [AllowAny]
     serializer_class = MarkdownResponseSerializer
 
     @swagger_auto_schema(

django/thunderstore/repository/api/experimental/views/wiki.py

@@ -9,6 +9,7 @@
 from rest_framework import serializers
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.generics import GenericAPIView, RetrieveAPIView, get_object_or_404
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 
 from thunderstore.repository.models import Package, PackageWiki
@@ -23,6 +24,7 @@
 
 
 class PackageWikiApiView(RetrieveAPIView):
+    permission_classes = [AllowAny]
     queryset = Wiki.objects.all().prefetch_related("pages")
     serializer_class = WikiSerializer
 
@@ -136,6 +138,7 @@ class PackageWikiListResponse(serializers.Serializer):
 
 
 class PackageWikiListAPIView(GenericAPIView):
+    permission_classes = [AllowAny]
     queryset = (
         PackageWiki.objects.all()
         .annotate(namespace=F("package__owner__name"), name=F("package__name"))

django/thunderstore/repository/api/v1/views/deprecate.py

@@ -2,6 +2,7 @@
 
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework.exceptions import NotFound, PermissionDenied
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 
 from thunderstore.core.jwt_helpers import JWTApiView
@@ -18,6 +19,8 @@ class DeprecateModApiView(JWTApiView):
     * Only users with special permissions may use this action
     """
 
+    permission_classes = [AllowAny]
+
     def get_package(self, package_name):
         if package_name is None:
             raise NotFound()

django/thunderstore/repository/api/v1/viewsets.py

@@ -10,7 +10,7 @@
 from rest_framework.authentication import BasicAuthentication, SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.generics import get_object_or_404
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import AllowAny, IsAuthenticated
 from rest_framework.renderers import JSONRenderer
 from rest_framework.response import Response
 
@@ -74,6 +74,7 @@ class PackageViewSet(
     CommunityMixin,
     viewsets.ReadOnlyModelViewSet,
 ):
+    permission_classes = [AllowAny]
     cache_database_fallback = False
     serializer_class = PACKAGE_SERIALIZER
     lookup_field = "package__uuid4"

django/thunderstore/schema_server/api/experimental/views/channel.py

@@ -9,6 +9,7 @@
 from rest_framework.exceptions import NotFound, PermissionDenied, ValidationError
 from rest_framework.generics import get_object_or_404
 from rest_framework.parsers import FileUploadParser
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -28,7 +29,7 @@ def get_filename(self, stream, media_type, parser_context):
 
 
 class SchemaChannelApiView(APIView):
-    permission_classes = []
+    permission_classes = [AllowAny]
     parser_classes = [SchemaFileUploadParser]
     throttle_classes = []
 
@@ -65,7 +66,7 @@ def post(self, request, channel: str, *args, **kwargs):
 
 
 class SchemaChannelLatestApiView(APIView):
-    permission_classes = []
+    permission_classes = [AllowAny]
 
     @swagger_auto_schema(
         responses={200: Schema(title="content", type=TYPE_FILE)},

django/thunderstore/social/api/experimental/views/current_user.py

@@ -6,6 +6,7 @@
 from drf_yasg.utils import swagger_auto_schema
 from pydantic import BaseModel
 from rest_framework import serializers
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -20,6 +21,8 @@ class CurrentUserExperimentalApiView(APIView):
     Gets information about the current user, such as rated packages and permissions
     """
 
+    permission_classes = [AllowAny]
+
     @swagger_auto_schema(tags=["experimental"])
     def get(self, request, format=None):
         if request.user.is_authenticated:

django/thunderstore/social/api/experimental/views/overwolf.py

@@ -9,7 +9,7 @@
 from pydantic import BaseModel
 from rest_framework import serializers
 from rest_framework.exceptions import AuthenticationFailed
-from rest_framework.permissions import BasePermission
+from rest_framework.permissions import AllowAny, BasePermission
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -54,7 +54,7 @@ class OverwolfLoginApiView(APIView):
     login process triggered from a browser.
     """
 
-    permission_classes: Sequence[Type[BasePermission]] = []
+    permission_classes: Sequence[Type[BasePermission]] = [AllowAny]
 
     @swagger_auto_schema(
         operation_id="experimental.auth.overwolf.login",

django/thunderstore/social/api/experimental/views/validate_session.py

@@ -1,5 +1,6 @@
 from django.http import HttpResponse
 from drf_yasg.utils import swagger_auto_schema  # type: ignore
+from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.status import HTTP_401_UNAUTHORIZED
@@ -11,6 +12,8 @@ class ValidateSessionApiView(APIView):
     Check that valid session key is provided in Authorization header.
     """
 
+    permission_classes = [AllowAny]
+
     @swagger_auto_schema(
         operation_id="experimental.auth.validate",
         responses={

django/thunderstore/social/api/v1/views/current_user.py

@@ -1,5 +1,6 @@
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework.authentication import BasicAuthentication, SessionAuthentication
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -10,6 +11,7 @@ class CurrentUserInfoView(APIView):
     """
 
     authentication_classes = [SessionAuthentication, BasicAuthentication]
+    permission_classes = [AllowAny]
 
     @swagger_auto_schema(tags=["v1"])
     def get(self, request, format=None, community_identifier=None):

django/thunderstore/wiki/api/experimental/views.py

@@ -1,11 +1,13 @@
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework.generics import RetrieveAPIView
+from rest_framework.permissions import AllowAny
 
 from thunderstore.wiki.api.experimental.serializers import WikiPageSerializer
 from thunderstore.wiki.models import WikiPage
 
 
 class WikiPageApiView(RetrieveAPIView):
+    permission_classes = [AllowAny]
     queryset = WikiPage.objects.all()
     serializer_class = WikiPageSerializer