chore: allow override of checked permission for POST-query-data reqs

chord_metadata_service/authz/permissions.py

@@ -65,7 +65,9 @@ async def view_request_has_data_type_permission(
 
     p: Permission
 
-    if request.method == "GET":
+    if (p_to_check := getattr(request, "permission_to_check", None)) is not None:
+        p = p_to_check
+    elif request.method == "GET":
         p = P_QUERY_DATA
     elif request.method in ("POST", "PUT"):
         p = P_INGEST_DATA

chord_metadata_service/patients/api_views.py

@@ -2,6 +2,7 @@
 
 from adrf.views import APIView
 from asgiref.sync import async_to_sync
+from bento_lib.auth.permissions import P_QUERY_DATA
 from bento_lib.responses import errors
 from bento_lib.search import build_search_response
 from copy import deepcopy
@@ -149,10 +150,17 @@ def list(self, request, *args, **kwargs):
 
     @action(detail=True, methods=["GET", "POST"])
     def phenopackets(self, request: DrfRequest, *_args, **_kwargs):
+        # ensure we have permissions for getting/posting (both are reading data)
+        #  - override permission to check for POST request, as we're querying data not writing it here.
+        request.permission_to_check = P_QUERY_DATA
+        self.check_permissions(request)
+
+        scope = async_to_sync(get_request_discovery_scope)(request)
+
         individual = self.get_object()
 
         phenopackets = (
-            Phenopacket.objects
+            Phenopacket.get_model_scoped_queryset(scope)
             .filter(subject=individual)
             .prefetch_related(*PHENOPACKET_PREFETCH)
             .order_by("id")