From dedf98a12e7716c313b956ee830899c2692a3cf5 Mon Sep 17 00:00:00 2001
From: jedi <git@m.j3d1.de>
Date: Mon, 20 Nov 2023 06:46:43 +0100
Subject: [PATCH] do not check permissions in api v1 as they are checked by
 nginx already

---
 core/core/version.py     |  4 +++-
 core/inventory/api_v1.py | 12 +++++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/core/core/version.py b/core/core/version.py
index e6493b2..64d3bde 100644
--- a/core/core/version.py
+++ b/core/core/version.py
@@ -1,10 +1,12 @@
-from rest_framework.decorators import api_view
+from rest_framework.decorators import api_view, permission_classes, authentication_classes
 from rest_framework.response import Response
 
 from .settings import SYSTEM3_VERSION
 
 
 @api_view(['GET'])
+@permission_classes([])
+@authentication_classes([])
 def get_info(request):
     return Response({
         "framework_version": SYSTEM3_VERSION,
diff --git a/core/inventory/api_v1.py b/core/inventory/api_v1.py
index 65dfab3..6e67df0 100644
--- a/core/inventory/api_v1.py
+++ b/core/inventory/api_v1.py
@@ -2,7 +2,7 @@ from datetime import datetime
 
 from django.urls import path
 from rest_framework import routers, viewsets, serializers
-from rest_framework.decorators import api_view
+from rest_framework.decorators import api_view, permission_classes, authentication_classes
 from rest_framework.response import Response
 
 from files.models import File
@@ -19,6 +19,8 @@ class EventSerializer(serializers.ModelSerializer):
 class EventViewSet(viewsets.ModelViewSet):
     serializer_class = EventSerializer
     queryset = Event.objects.all()
+    permission_classes = []
+    authentication_classes = []
 
 
 class ContainerSerializer(serializers.ModelSerializer):
@@ -36,6 +38,8 @@ class ContainerSerializer(serializers.ModelSerializer):
 class ContainerViewSet(viewsets.ModelViewSet):
     serializer_class = ContainerSerializer
     queryset = Container.objects.all()
+    permission_classes = []
+    authentication_classes = []
 
 
 class ItemSerializer(serializers.ModelSerializer):
@@ -89,6 +93,8 @@ class ItemSerializer(serializers.ModelSerializer):
 
 
 @api_view(['GET'])
+@permission_classes([])
+@authentication_classes([])
 def search_items(request, event_slug, query):
     event = Event.objects.get(slug=event_slug)
     query_tokens = query.split(' ')
@@ -100,6 +106,8 @@ def search_items(request, event_slug, query):
 
 
 @api_view(['GET', 'POST'])
+@permission_classes([])
+@authentication_classes([])
 def item(request, event_slug):
     event = Event.objects.get(slug=event_slug)
     if request.method == 'GET':
@@ -112,6 +120,8 @@ def item(request, event_slug):
 
 
 @api_view(['GET', 'PUT', 'DELETE'])
+@permission_classes([])
+@authentication_classes([])
 def item_by_id(request, event_slug, id):
     try:
         event = Event.objects.get(slug=event_slug)