API authentication
Closed this issue · 1 comments
davidfischer commented
The ad decision API, reporting APIs, and other APIs will require permissions to be setup.
I see a few different permission levels:
- Staff permission - access to basically all APIs
- Advertiser permission - access to only reports for a specific advertiser
- Publisher permission - access to only reports for a specific publisher (RTD.org will use this)
The permissions should probably be tied to specific users who then have access to a specific advertiser or publisher.
davidfischer commented
After discussion, the plan is to always authenticate every API to a user. We will have custom DRF permissions such as an AdvertiserPermission and a PublisherPermission which check whether a user has permissions on the specific advertiser or publisher.