We should consider to implement a basic permission system for API tokens. Users can opt-in to authorize only the following actions with a given token:
- Create annotations
- Edit annotations
- Edit annotations of other users (for experts and admins)
- Delete annotations
- Delete annotations of other users (for experts and admins)
The authorization can happen in the policy classes but how to distinguish between a "user" and a "user using a specific token" in these classes?
We should consider to implement a basic permission system for API tokens. Users can opt-in to authorize only the following actions with a given token:
The authorization can happen in the policy classes but how to distinguish between a "user" and a "user using a specific token" in these classes?