@route("/<id>/forecasts/trigger", methods=["POST"])
@use_kwargs({"sensor": SensorIdField(data_key="id")}, location="path")
@permission_required_for_context("create-children", ctx_arg_name="sensor")

However, a forecasting pipeline may depend on regressor sensors (past and/or future regressors). At the moment, there is no explicit permission check to ensure that the requesting user has read access to all regressor sensors used by the forecast.

This means a user could potentially trigger a forecast that implicitly reads data from sensors they do not have permission to access.