From 9cadb5e1b44d86c10225d798559d4ac2fbe8e107 Mon Sep 17 00:00:00 2001
From: Anatol Ulrich <e+github@mail.taugt.net>
Date: Wed, 4 Oct 2023 22:42:44 +0200
Subject: [PATCH] duplicate permissions check note

---
 README.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 4d58a8c..c3870ce 100644
--- a/README.md
+++ b/README.md
@@ -27,8 +27,10 @@ see `schema.py` and [Strawberry GraphQL documentation](https://strawberry.rocks/
 
 ### Attribute based permissions
 
-Assuming a zero trust deployment, the requesting user must have the correct claims to execute an operation - 
-to disable this during development (or if you operate the service in a trusted enviroment), remove the `permission_classes` parameter in all operations defined in `schema.py`. 
+Assuming a zero trust deployment, the requesting user must 
+have the correct claims to execute an operation - 
+to disable this during development (or if you operate the service in a trusted enviroment),
+remove the `permission_classes` parameter in all operations defined in `schema.py`. 
 
 These permissions must be a list stored in the access token under the key `config.AUTH_PERMISSIONS_KEY`, 
 its values prefixed with `config.AUTH_OLS_PREFIX`. For example:
@@ -39,6 +41,10 @@ claims = {
 }
 ```
 
+Strictly speaking this duplicates the permissions check already done by the broker, 
+and thus requests without required permissions don't even reach the microservice - 
+they've been rejected at the broker level.
+
 ### JWT signature algorithm
 
 For security reasons the JWT signature algorithm must be a member of