Merge pull request #102 from edx/clintonb/aw-permissions

Added permissions to the Affiliate Window viewset

Merge pull request #102 from edx/clintonb/aw-permissions
Added permissions to the Affiliate Window viewset
0eb33494 · Clinton Blackburn · 65be02c2 · f9bfd32f · 0eb33494 · 0eb33494
Commit 0eb33494 authored May 17, 2016 by Clinton Blackburn
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 2 deletions

course_discovery/apps/api/v1/tests/test_views/test_affiliate_window.py
+21 -0

course_discovery/apps/api/v1/views.py
+7 -2

No files found.
--- a/course_discovery/apps/api/v1/tests/test_views/test_affiliate_window.py
+++ b/course_discovery/apps/api/v1/tests/test_views/test_affiliate_window.py
@@ -20,6 +20,7 @@ from course_discovery.apps.course_metadata.tests.factories import CourseRunFacto
 @ddt.ddt
 class AffiliateWindowViewSetTests(ElasticsearchTestMixin, SerializationMixin, APITestCase):
    """ Tests for the AffiliateWindowViewSet. """
+
    def setUp(self):
        super(AffiliateWindowViewSetTests, self).setUp()
        self.user = UserFactory()
@@ -110,3 +111,23 @@ class AffiliateWindowViewSetTests(ElasticsearchTestMixin, SerializationMixin, AP

        root = etree.XML(response.content)
        self.assertTrue(dtd.validate(root))
+
+    def test_permissions(self):
+        """ Verify only users with the appropriate permissions can access the endpoint. """
+        catalog = CatalogFactory()
+        superuser = UserFactory(is_superuser=True)
+        url = reverse('api:v1:partners:affiliate_window-detail', kwargs={'pk': catalog.id})
+
+        # Superusers can view all catalogs
+        self.client.force_authenticate(superuser)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+
+        # Regular users can only view catalogs belonging to them
+        self.client.force_authenticate(self.user)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)
+
+        catalog.viewers = [self.user]
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
--- a/course_discovery/apps/api/v1/views.py
+++ b/course_discovery/apps/api/v1/views.py
@@ -9,6 +9,7 @@ from dry_rest_permissions.generics import DRYPermissions
 from edx_rest_framework_extensions.permissions import IsSuperuser
 from rest_framework import status, viewsets
 from rest_framework.decorators import detail_route, list_route
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response

@@ -279,9 +280,13 @@ class AffiliateWindowViewSet(viewsets.ViewSet):
        """

        catalog = get_object_or_404(Catalog, pk=pk)
-        queryset = catalog.courses().active()
+
+        if not catalog.has_object_read_permission(request):
+            raise PermissionDenied
+
+        courses = catalog.courses().active()
        seats = Seat.objects.filter(
-            course_run__course__in=queryset, type__in=[Seat.VERIFIED, Seat.PROFESSIONAL]
+            course_run__course__in=courses, type__in=[Seat.VERIFIED, Seat.PROFESSIONAL]
        )

        serializer = AffiliateWindowSerializer(seats, many=True)