Merge pull request #96 from edx/hotfix/2015-08-18

enforce staff only access on attempt collection endpoint

Merge pull request #96 from edx/hotfix/2015-08-18
enforce staff only access on attempt collection endpoint
231c79d0 · chrisndodge · b956a555 · 391b82a2 · 231c79d0 · 231c79d0
Commit 231c79d0 authored Aug 15, 2015 by chrisndodge
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 1 deletions

edx_proctoring/tests/test_views.py
+29 -0

edx_proctoring/views.py
+9 -0

setup.py
+1 -1

No files found.
--- a/edx_proctoring/tests/test_views.py
+++ b/edx_proctoring/tests/test_views.py
@@ -814,6 +814,35 @@ class TestStudentProctoredExamAttempt(LoggedInTestCase):
        response_data = json.loads(response.content)
        self.assertEqual(len(response_data['proctored_exam_attempts']), 1)

+    def test_exam_attempts_not_staff(self):
+        """
+        Test to get the exam attempts in a course.
+        """
+        # Create an exam.
+        proctored_exam = ProctoredExam.objects.create(
+            course_id='a/b/c',
+            content_id='test_content',
+            exam_name='Test Exam',
+            external_id='123aXqe3',
+            time_limit_mins=90
+        )
+        attempt_data = {
+            'exam_id': proctored_exam.id,
+            'user_id': self.student_taking_exam.id,
+            'external_id': proctored_exam.external_id
+        }
+        response = self.client.post(
+            reverse('edx_proctoring.proctored_exam.attempt.collection'),
+            attempt_data
+        )
+        url = reverse('edx_proctoring.proctored_exam.attempt', kwargs={'course_id': proctored_exam.course_id})
+
+        self.user.is_staff = False
+        self.user.save()
+
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)
+
    def test_get_filtered_exam_attempts(self):
        """
        Test to get the exam attempts in a course.

--- a/edx_proctoring/views.py
+++ b/edx_proctoring/views.py
@@ -443,6 +443,15 @@ class StudentProctoredExamAttemptCollection(AuthenticatedAPIView):
        HTTP GET Handler. Returns the status of the exam attempt.
        """
        if course_id is not None:
+            #
+            # This code path is only for authenticated global staff users
+            #
+            if not request.user.is_staff:
+                return Response(
+                    status=status.HTTP_403_FORBIDDEN,
+                    data={"detail": "Must be a Staff User to Perform this request."}
+                )
+
            if search_by is not None:
                exam_attempts = get_filtered_exam_attempts(course_id, search_by)
                attempt_url = reverse('edx_proctoring.proctored_exam.attempt.search', args=[course_id, search_by])

--- a/setup.py
+++ b/setup.py
@@ -34,7 +34,7 @@ def load_requirements(*requirements_paths):

 setup(
    name='edx-proctoring',
-    version='0.6.0',
+    version='0.6.1',
    description='Proctoring subsystem for Open edX',
    long_description=open('README.md').read(),
    author='edX',