While reviewing the challenge permissions, I came across a point in the IsChallengeCreator permission class that might need clarification or adjustment.
In apps/challenges/permissions.py, the has_permission method currently allows all SAFE_METHODS (GET, HEAD, OPTIONS) without performing an explicit authentication or authorization check:
if request.method in permissions.SAFE_METHODS:
return True
As IsChallengeCreator is used in challenge-related views, this behavior may result in broader access than intended for certain GET endpoints.
Additionally, the permission logic accesses request.parser_context["kwargs"]["challenge_pk"] directly, which may raise a KeyError if the expected key is not present in the request context.
I wanted to bring this to attention and check whether this aligns with the intended access control.
While reviewing the challenge permissions, I came across a point in the IsChallengeCreator permission class that might need clarification or adjustment.
In apps/challenges/permissions.py, the has_permission method currently allows all SAFE_METHODS (GET, HEAD, OPTIONS) without performing an explicit authentication or authorization check:
As IsChallengeCreator is used in challenge-related views, this behavior may result in broader access than intended for certain GET endpoints.
Additionally, the permission logic accesses request.parser_context["kwargs"]["challenge_pk"] directly, which may raise a KeyError if the expected key is not present in the request context.
I wanted to bring this to attention and check whether this aligns with the intended access control.