Add publisher user permission on publisher Organization API.

0f5fa3fc · attiyaishaque · Attiya Ishaque · cf1dad56 · 0f5fa3fc · 0f5fa3fc
Commit 0f5fa3fc authored Jul 03, 2018 by attiyaishaque Committed by Attiya Ishaque Jul 03, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 5 deletions

course_discovery/apps/publisher/api/permissions.py
+3 -0

course_discovery/apps/publisher/api/tests/test_views.py
+18 -4

course_discovery/apps/publisher/api/views.py
+1 -1

No files found.
--- a/course_discovery/apps/publisher/api/permissions.py
+++ b/course_discovery/apps/publisher/api/permissions.py
@@ -30,3 +30,6 @@ class PublisherUserPermission(BasePermission):

    def has_object_permission(self, request, view, obj):
        return is_publisher_user(request.user)
+
+    def has_permission(self, request, view):
+        return is_publisher_user(request.user)
--- a/course_discovery/apps/publisher/api/tests/test_views.py
+++ b/course_discovery/apps/publisher/api/tests/test_views.py
@@ -145,18 +145,21 @@ class OrganizationGroupUserViewTests(SiteMixin, TestCase):
    def setUp(self):
        super(OrganizationGroupUserViewTests, self).setUp()

-        user = UserFactory.create(username="test_user", password=USER_PASSWORD)
-        self.client.login(username=user.username, password=USER_PASSWORD)
+        self.user = UserFactory.create(username="test_user", password=USER_PASSWORD)
+        self.client.login(username=self.user.username, password=USER_PASSWORD)

+        self.internal_user_group = Group.objects.get(name=INTERNAL_USER_GROUP_NAME)
+        self.user.groups.add(self.internal_user_group)
        organization_extension = factories.OrganizationExtensionFactory()
        self.org_user1 = UserFactory.create(full_name="org user1")
        self.org_user2 = UserFactory.create(first_name='', last_name='', full_name='')
        organization_extension.group.user_set.add(*[self.org_user1, self.org_user2])
        self.organization = organization_extension.organization

-    def test_get_organization_user_group(self):
+    def test_get_organization_user_group_with_publisher_user_permissions(self):
        """
-        Verify that view returns list of users associated with the group related to given organization id.
+        Verify that view returns list of users associated with the group related to given organization id with
+        login users is associated with any publisher group.
        """
        response = self.client.get(
            path=self._get_organization_group_user_url(self.organization.id), content_type=JSON_CONTENT_TYPE
@@ -184,6 +187,17 @@ class OrganizationGroupUserViewTests(SiteMixin, TestCase):
                                   content_type=JSON_CONTENT_TYPE)
        self.assertEqual(response.status_code, 404)

+    def test_get_organization_user_group_without_publisher_user_permissions(self):
+        """
+        Verify that endpoint returns a permission error with login users not associated
+        with any publisher group.
+        """
+        self.user.groups.remove(self.internal_user_group)
+        response = self.client.get(
+            path=self._get_organization_group_user_url(self.organization.id), content_type=JSON_CONTENT_TYPE
+        )
+        self.assertEqual(response.status_code, 403)
+
    def _get_organization_group_user_url(self, org_id):
        return reverse(
            'publisher:api:organization_group_users', kwargs={'pk': org_id}

--- a/course_discovery/apps/publisher/api/views.py
+++ b/course_discovery/apps/publisher/api/views.py
@@ -38,7 +38,7 @@ class CourseRoleAssignmentView(UpdateAPIView):
 class OrganizationGroupUserView(ListAPIView):
    """ List view for Users filtered by group """
    serializer_class = GroupUserSerializer
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PublisherUserPermission)
    pagination_class = LargeResultsSetPagination

    def get_queryset(self):