add permissions for all to list only

backend/metagenedb/api/catalog/views/bulk_viewset.py

@@ -3,11 +3,13 @@ from rest_framework import status
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
+from metagenedb.common.django_default.permissions import ListAndRetrieveAll
 from metagenedb.common.django_default.qparams_validators import PaginatedQueryParams
 
 
 class BulkViewSet(ModelViewSet):
     query_params_parser = PaginatedQueryParams
+    permission_classes = [ListAndRetrieveAll]
 
     def get_objects(self, instance_ids):
         return self.queryset.in_bulk(instance_ids, field_name=self.lookup_field)

backend/metagenedb/common/django_default/permissions.py

+from rest_framework.permissions import BasePermission
+
+
+class ListAndRetrieveAll(BasePermission):
+    """
+    Custom permission to only allow access to lists for admins
+    """
+
+    def has_permission(self, request, view):
+        return view.action in ['list', 'retrieve'] or request.user.is_staff