BackendAuthentication
Permissions
DRF permission classes for workspace and team access control.
Default Permission
All API endpoints require authentication by default:
"DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",)Workspace Permissions
Defined in backend/workspaces/permissions.py:
| Permission Class | Read | Write | Delete |
|---|---|---|---|
IsWorkspaceMember | Member | Member | Member |
IsWorkspaceOwnerOrAdmin | Owner/Admin | Owner/Admin | Owner/Admin |
IsWorkspaceMemberForReadOwnerOrAdminForWrite | Member | Owner/Admin | Owner/Admin |
CanManageWorkspaceMembership | Member | Owner/Admin | Owner/Admin |
Team Permissions
| Permission Class | Read | Write | Delete |
|---|---|---|---|
IsTeamMember | Member | Member | Member |
IsTeamPrivilegedUser | Owner/Admin | Owner/Admin | Owner/Admin |
IsTeamMemberForReadTeamPrivilegedUserForWrite | Member | Owner/Admin | Owner/Admin |
CanManageTeamMembership | Member | Owner/Admin | Owner/Admin |
Document Permissions
| Permission Class | Description |
|---|---|
CanAccessDocument | User can access the document within their workspace |
Other Permissions
| Permission Class | Description |
|---|---|
IsModelOwner | User is the creator/owner of the specific object |
Roles
Two roles are defined in backend/workspaces/roles.py:
ROLE_ADMIN = "admin"
ROLE_MEMBER = "member"Roles apply to both workspace memberships and team memberships. The workspace owner has implicit admin-level access regardless of their membership role.
Usage in ViewSets
class ChatSessionViewSet(ModelViewSet):
permission_classes = [IsAuthenticated, IsWorkspaceMember]
def get_queryset(self):
return ChatSession.objects.filter(
workspace_id=self.kwargs["workspace_pk"],
workspace__members=self.request.user,
)Every workspace-scoped ViewSet:
- Checks authentication
- Checks workspace membership
- Filters querysets to the workspace from the URL