From d1783ac6fdeec861e53b13c924cf2db830a30030 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Wed, 6 Oct 2021 22:07:36 +0200
Subject: [PATCH 3/3] api: set permission journal.view_event on statistics
 views (#57663)

---
 src/authentic2/a2_rbac/management.py | 3 +++
 src/authentic2/api_views.py          | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/authentic2/a2_rbac/management.py b/src/authentic2/a2_rbac/management.py
index 84761d8b..49519ac5 100644
--- a/src/authentic2/a2_rbac/management.py
+++ b/src/authentic2/a2_rbac/management.py
@@ -94,6 +94,9 @@ MANAGED_CT = {
         'name': _('Manager of services'),
         'scoped_name': _('Services - {ou}'),
     },
+    ('journal', 'event'): {
+        'name': _('Journal & statistics'),
+    },
 }
 
 
diff --git a/src/authentic2/api_views.py b/src/authentic2/api_views.py
index e13a607b..d0bce0e7 100644
--- a/src/authentic2/api_views.py
+++ b/src/authentic2/api_views.py
@@ -1180,7 +1180,7 @@ def stat(**kwargs):
 
 
 class StatisticsAPI(ViewSet):
-    permission_classes = (permissions.IsAuthenticated,)
+    permission_classes = (DjangoPermission('journal.view_event'),)
 
     def initial(self, *args, **kwargs):
         super().initial(*args, **kwargs)
-- 
2.33.0