Merge pull request #80 from edx/clintonb/api-docs-update

Requiring login for API docs

course_discovery/apps/api/tests/test_views.py

+import ddt
+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import PermissionDenied
+from django.core.urlresolvers import reverse
+from django.test import TestCase, RequestFactory
+
+from course_discovery.apps.api.views import api_docs_permission_denied_handler
+from course_discovery.apps.core.tests.factories import UserFactory
+
+
+@ddt.ddt
+class ApiDocsPermissionDeniedHandlerTests(TestCase):
+    def setUp(self):
+        super(ApiDocsPermissionDeniedHandlerTests, self).setUp()
+        self.request_path = '/'
+        self.request = RequestFactory().get(self.request_path)
+
+    def test_authenticated(self):
+        """ Verify the view raises `PermissionDenied` if the request is authenticated. """
+        user = UserFactory()
+        self.request.user = user
+        self.assertRaises(PermissionDenied, api_docs_permission_denied_handler, self.request)
+
+    @ddt.data(None, AnonymousUser())
+    def test_not_authenticated(self, user):
+        """ Verify the view redirects to the login page if the request is not authenticated. """
+        self.request.user = user
+        response = api_docs_permission_denied_handler(self.request)
+        expected_url = '{path}?next={next}'.format(path=reverse('login'), next=self.request_path)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, expected_url)

course_discovery/apps/api/views.py

+from django.core.exceptions import PermissionDenied
+from django.core.urlresolvers import reverse
+from django.shortcuts import redirect
+from django.utils.translation import ugettext as _
+
+
+def api_docs_permission_denied_handler(request):
+    """
+    Permission denied handler for calls to the API documentation.
+
+    Args:
+        request (Request): Original request to the view the documentation
+
+    Raises:
+        PermissionDenied: The user is not authorized to view the API documentation.
+
+    Returns:
+        HttpResponseRedirect: Redirect to the login page if the user is not logged in. After a
+            successful login, the user will be redirected back to the original path.
+    """
+    if request.user and request.user.is_authenticated():
+        raise PermissionDenied(_('You are not permitted to access the API documentation.'))
+
+    login_url = '{path}?next={next}'.format(path=reverse('login'), next=request.path)
+    return redirect(login_url, permanent=False)

course_discovery/apps/core/tests/test_throttles.py

 from django.core.cache import cache
 from django.core.urlresolvers import reverse
-
 from rest_framework.test import APITestCase
 
 from course_discovery.apps.core.models import UserThrottleRate
@@ -48,7 +47,3 @@ class RateLimitingTest(APITestCase):
         self.user.save()
         response = self._make_requests()
         self.assertEqual(response.status_code, 200)
-
-    def test_anonymous_throttling(self):
-        self.client.logout()
-        self.test_rate_limiting()

course_discovery/apps/core/throttles.py

@@ -9,9 +9,10 @@ class OverridableUserRateThrottle(UserRateThrottle):
 
     def allow_request(self, request, view):
         user = request.user
-        if user.is_superuser:
-            return True
-        if not user.is_anonymous():
+
+        if user and user.is_authenticated():
+            if user.is_superuser:
+                return True
             try:
                 # Override this throttle's rate if applicable
                 user_throttle = UserThrottleRate.objects.get(user=user)
@@ -19,4 +20,5 @@ class OverridableUserRateThrottle(UserRateThrottle):
                 self.num_requests, self.duration = self.parse_rate(self.rate)
             except UserThrottleRate.DoesNotExist:
                 pass
+
         return super(OverridableUserRateThrottle, self).allow_request(request, view)

course_discovery/settings/base.py

@@ -294,6 +294,8 @@ JWT_AUTH = {
 SWAGGER_SETTINGS = {
     'api_version': 'v1',
     'doc_expansion': 'list',
+    'is_authenticated': True,
+    'permission_denied_handler': 'course_discovery.apps.api.views.api_docs_permission_denied_handler'
 }
 
 ELASTICSEARCH_URL = 'http://127.0.0.1:9200/'