A user with no rights for API tokens can view the page where API tokens can be generated and can generate API tokens.
Create a user with no permission for anything (i.e. everything on deny).
Log in with this user to the web application.
Visit http://127.0.0.1:8000/account/api
=> The user can see and generate personal API tokens even the user has no rights for it.
The impact trends to be low as the user sees / generates his own API tokens. If the page would have some other serious errors, the attacker could from this point on doing more stuff.