Require "add_device" permission for `/device/validate` REST API
requested to merge collabora-require-view-permission-for-rest-api-device-validate into collabora/staging
The issue is that it is impossible to isolate the templates based on permissions. This means anyone can check if a particular device type template exists. Also it is probably possible to exfiltrate template data using exceptions.
Finally, while template sandboxing was enabled some time ago it is still pretty dangerous to allow anyone to submit templates. What if there will be a security vulnerability in Jinja in the future?