From 3887255e9cd04053df21100178f6f021130f9bf5 Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Mon, 9 Feb 2026 00:22:30 +0100
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F(backend)=20rework=20permissi?=
 =?UTF-8?q?on=20to=20better=20align=20with=20DRF=20responsibilities?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a viewset action is not implemented, the permission layer no longer returns
a 403. Instead, it lets DRF handle the request and return the appropriate 405
Method Not Allowed response, ensuring cleaner and more standard API error
handling.
---
 src/backend/core/external_api/permissions.py      | 7 +++----
 src/backend/core/tests/test_external_api_rooms.py | 8 ++++----
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/backend/core/external_api/permissions.py b/src/backend/core/external_api/permissions.py
index 1bf29e81..37591b3f 100644
--- a/src/backend/core/external_api/permissions.py
+++ b/src/backend/core/external_api/permissions.py
@@ -33,12 +33,11 @@ class BaseScopePermission(permissions.BasePermission):
         Raises:
             PermissionDenied: If required scope is missing from token
         """
-        # Get the current action (e.g., 'list', 'create')
+        # Get the current action (e.g., 'list', 'create'), if None let DRF handle it
         action = getattr(view, "action", None)
         if not action:
-            raise exceptions.PermissionDenied(
-                "Insufficient permissions. Unknown action."
-            )
+            # DRF routers return a 405 for unsupported methods
+            return True
 
         required_scope = self.scope_map.get(action)
         if not required_scope:
diff --git a/src/backend/core/tests/test_external_api_rooms.py b/src/backend/core/tests/test_external_api_rooms.py
index eaf69ea1..1fc8c276 100644
--- a/src/backend/core/tests/test_external_api_rooms.py
+++ b/src/backend/core/tests/test_external_api_rooms.py
@@ -611,15 +611,15 @@ def test_api_rooms_unknown_actions(settings):
     client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}")
     response = client.delete(f"/external-api/v1.0/rooms/{room.id}/")
 
-    assert response.status_code == 403
-    assert "insufficient permissions. unknown action." in str(response.data).lower()
+    assert response.status_code == 405
+    assert 'method "delete" not allowed.' in str(response.data).lower()
 
     client = APIClient()
     client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}")
     response = client.patch(f"/external-api/v1.0/rooms/{room.id}/")
 
-    assert response.status_code == 403
-    assert "insufficient permissions. unknown action." in str(response.data).lower()
+    assert response.status_code == 405
+    assert 'method "patch" not allowed.' in str(response.data).lower()
 
 
 def test_api_rooms_response_no_url(settings):