diff --git a/src/backend/core/external_api/permissions.py b/src/backend/core/external_api/permissions.py index 1bf29e81..37591b3f 100644 --- a/src/backend/core/external_api/permissions.py +++ b/src/backend/core/external_api/permissions.py @@ -33,12 +33,11 @@ class BaseScopePermission(permissions.BasePermission): Raises: PermissionDenied: If required scope is missing from token """ - # Get the current action (e.g., 'list', 'create') + # Get the current action (e.g., 'list', 'create'), if None let DRF handle it action = getattr(view, "action", None) if not action: - raise exceptions.PermissionDenied( - "Insufficient permissions. Unknown action." - ) + # DRF routers return a 405 for unsupported methods + return True required_scope = self.scope_map.get(action) if not required_scope: diff --git a/src/backend/core/tests/test_external_api_rooms.py b/src/backend/core/tests/test_external_api_rooms.py index eaf69ea1..1fc8c276 100644 --- a/src/backend/core/tests/test_external_api_rooms.py +++ b/src/backend/core/tests/test_external_api_rooms.py @@ -611,15 +611,15 @@ def test_api_rooms_unknown_actions(settings): client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}") response = client.delete(f"/external-api/v1.0/rooms/{room.id}/") - assert response.status_code == 403 - assert "insufficient permissions. unknown action." in str(response.data).lower() + assert response.status_code == 405 + assert 'method "delete" not allowed.' in str(response.data).lower() client = APIClient() client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}") response = client.patch(f"/external-api/v1.0/rooms/{room.id}/") - assert response.status_code == 403 - assert "insufficient permissions. unknown action." in str(response.data).lower() + assert response.status_code == 405 + assert 'method "patch" not allowed.' in str(response.data).lower() def test_api_rooms_response_no_url(settings):