pulp · mdellweg · Jan 19, 2021 · Dec 23, 2020
diff --git a/CHANGES/8018.bugfix b/CHANGES/8018.bugfix
@@ -0,0 +1 @@
+Changed the default permission class to ``IsAdminUser`` to protect endpoints not yet guarded by an access policy from users without permission.
diff --git a/CHANGES/plugin_api/8018.removal b/CHANGES/plugin_api/8018.removal
@@ -0,0 +1,2 @@
+Changed the default permission class to from ``IsAuthenticated`` to ``IsAdminUser``.
+Any endpoints that should be accessible by all known to the system users need to specify the permission_classes accordingly.
diff --git a/pulpcore/app/settings.py b/pulpcore/app/settings.py
@@ -138,7 +138,7 @@
     "DEFAULT_FILTER_BACKENDS": ("django_filters.rest_framework.DjangoFilterBackend",),
     "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.LimitOffsetPagination",
     "PAGE_SIZE": 100,
-    "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
+    "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAdminUser",),
     "DEFAULT_AUTHENTICATION_CLASSES": (
         "rest_framework.authentication.SessionAuthentication",
         "rest_framework.authentication.BasicAuthentication",