Ignore EntityList model permissions on API endpoints (#2635)

* ignore EntityList model permissions on API endpoints

ignore permissions on API endpoints to avoid manually setting model permissions when a user is created. Also avoids having a migration to add the EntityList permissions to existing users

* fix lint warning unused argument

onadata/apps/api/permissions.py

@@ -558,3 +558,18 @@ def has_permission(self, request, view):
                 return False
 
         return True
+
+
+class DjangoObjectPermissionsIgnoreModelPerm(DjangoObjectPermissions):
+    """
+    Similar to DjangoModelPermissions, except that model permissions
+    are ignored.
+    """
+
+    # pylint: disable=unused-argument
+    def has_permission(self, request, view):
+        """Override `has_permission` method"""
+        if request.user.is_anonymous and request.method not in SAFE_METHODS:
+            return False
+
+        return True

onadata/apps/api/viewsets/entity_list_viewset.py

@@ -12,7 +12,7 @@
 )
 
 
-from onadata.apps.api.permissions import DjangoObjectPermissionsAllowAnon
+from onadata.apps.api.permissions import DjangoObjectPermissionsIgnoreModelPerm
 from onadata.apps.api.tools import get_baseviewset_class
 from onadata.apps.logger.models import Entity, EntityList
 from onadata.libs.filters import AnonUserEntityListFilter, EntityListProjectFilter
@@ -53,7 +53,7 @@ class EntityListViewSet(
         )
     )
     serializer_class = EntityListSerializer
-    permission_classes = (DjangoObjectPermissionsAllowAnon,)
+    permission_classes = (DjangoObjectPermissionsIgnoreModelPerm,)
     pagination_class = StandardPageNumberPagination
     filter_backends = (AnonUserEntityListFilter, EntityListProjectFilter)
 

onadata/libs/utils/user_auth.py

@@ -17,7 +17,6 @@
 
 from onadata.apps.api.models.team import Team
 from onadata.apps.api.models.temp_token import TempToken
-from onadata.apps.logger.models.entity_list import EntityList
 from onadata.apps.logger.models.note import Note
 from onadata.apps.logger.models.project import Project
 from onadata.apps.logger.models.xform import XForm
@@ -223,16 +222,7 @@ def add_cors_headers(response):
 
 def set_api_permissions_for_user(user):
     """Sets the permissions to allow a ``user`` to access the APU."""
-    models = [
-        UserProfile,
-        XForm,
-        MergedXForm,
-        Project,
-        Team,
-        OrganizationProfile,
-        Note,
-        EntityList,
-    ]
+    models = [UserProfile, XForm, MergedXForm, Project, Team, OrganizationProfile, Note]
     for model in models:
         for perm in get_perms_for_model(model):
             assign_perm(f"{perm.content_type.app_label}.{perm.codename}", user)