♻️(backend) rework permission to better align with DRF responsibilities

If a viewset action is not implemented, the permission layer no longer returns
a 403. Instead, it lets DRF handle the request and return the appropriate 405
Method Not Allowed response, ensuring cleaner and more standard API error
handling.

src/backend/core/external_api/permissions.py

@@ -33,12 +33,11 @@ class BaseScopePermission(permissions.BasePermission):
         Raises:
             PermissionDenied: If required scope is missing from token
         """
-        # Get the current action (e.g., 'list', 'create')
+        # Get the current action (e.g., 'list', 'create'), if None let DRF handle it
         action = getattr(view, "action", None)
         if not action:
-            raise exceptions.PermissionDenied(
-                "Insufficient permissions. Unknown action."
-            )
+            # DRF routers return a 405 for unsupported methods
+            return True
 
         required_scope = self.scope_map.get(action)
         if not required_scope:

src/backend/core/tests/test_external_api_rooms.py

@@ -611,15 +611,15 @@ def test_api_rooms_unknown_actions(settings):
     client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}")
     response = client.delete(f"/external-api/v1.0/rooms/{room.id}/")
 
-    assert response.status_code == 403
-    assert "insufficient permissions. unknown action." in str(response.data).lower()
+    assert response.status_code == 405
+    assert 'method "delete" not allowed.' in str(response.data).lower()
 
     client = APIClient()
     client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}")
     response = client.patch(f"/external-api/v1.0/rooms/{room.id}/")
 
-    assert response.status_code == 403
-    assert "insufficient permissions. unknown action." in str(response.data).lower()
+    assert response.status_code == 405
+    assert 'method "patch" not allowed.' in str(response.data).lower()
 
 
 def test_api_rooms_response_no_url(settings):