From c811bbd1fd3c77836bc7b0ec5eebb05675e4c8b6 Mon Sep 17 00:00:00 2001
From: David Lougheed <david.lougheed@gmail.com>
Date: Tue, 17 Sep 2024 16:39:12 -0400
Subject: [PATCH] fix: proper permissions for schema endpoints

---
 chord_metadata_service/experiments/api_views.py  | 6 +++---
 chord_metadata_service/phenopackets/api_views.py | 7 +++----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/chord_metadata_service/experiments/api_views.py b/chord_metadata_service/experiments/api_views.py
index c5310aefa..15cf0c719 100644
--- a/chord_metadata_service/experiments/api_views.py
+++ b/chord_metadata_service/experiments/api_views.py
@@ -4,9 +4,9 @@
 from rest_framework import mixins, serializers, status, viewsets
 from rest_framework.settings import api_settings
 from rest_framework.decorators import api_view, permission_classes
-from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 
+from chord_metadata_service.authz.permissions import BentoAllowAny
 from chord_metadata_service.discovery.scope import get_request_discovery_scope
 from chord_metadata_service.restapi.api_renderers import (
     FHIRRenderer,
@@ -142,7 +142,7 @@ def dispatch(self, *args, **kwargs):
     }
 )
 @api_view(["GET"])
-@permission_classes([AllowAny])
+@permission_classes([BentoAllowAny])
 def get_experiment_schema(_request):
     """
     get:
@@ -153,7 +153,7 @@ def get_experiment_schema(_request):
 
 
 @api_view(["GET"])
-@permission_classes([AllowAny])
+@permission_classes([BentoAllowAny])
 def get_experiment_subschema(_request, subschema: str):
     """
     get:
diff --git a/chord_metadata_service/phenopackets/api_views.py b/chord_metadata_service/phenopackets/api_views.py
index 2eacb930d..3b7809bf5 100644
--- a/chord_metadata_service/phenopackets/api_views.py
+++ b/chord_metadata_service/phenopackets/api_views.py
@@ -4,10 +4,9 @@
 from rest_framework import serializers, status, viewsets
 from rest_framework.settings import api_settings
 from rest_framework.decorators import api_view, permission_classes
-from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 
-from chord_metadata_service.authz.permissions import BentoPhenopacketDataPermission
+from chord_metadata_service.authz.permissions import BentoPhenopacketDataPermission, BentoAllowAny
 from chord_metadata_service.discovery.scope import get_request_discovery_scope
 from chord_metadata_service.restapi.api_renderers import (
     PhenopacketsRenderer,
@@ -258,7 +257,7 @@ class InterpretationViewSet(PhenopacketsModelViewSet):
     }
 )
 @api_view(["GET"])
-@permission_classes([AllowAny])
+@permission_classes([BentoAllowAny])
 def get_chord_phenopacket_schema(_request):
     """
     get:
@@ -269,7 +268,7 @@ def get_chord_phenopacket_schema(_request):
 
 
 @api_view(["GET"])
-@permission_classes([AllowAny])
+@permission_classes([BentoAllowAny])
 def get_chord_phenopacket_subschema(_request, subschema: str):
     """
     get: