Requiring login for API docs

ECOM-4277

Requiring login for API docs
ECOM-4277
698763d8 · Clinton Blackburn · 0fe2d40f · 698763d8 · 698763d8 · 698763d8
Commit 698763d8 authored Apr 22, 2016 by Clinton Blackburn
Hide whitespace changes
Inline Side-by-side

Showing with 58 additions and 0 deletions

course_discovery/apps/api/tests/test_views.py
+31 -0

course_discovery/apps/api/views.py
+25 -0

course_discovery/settings/base.py
+2 -0

No files found.
--- a/course_discovery/apps/api/tests/test_views.py
+++ b/course_discovery/apps/api/tests/test_views.py
+import ddt
+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import PermissionDenied
+from django.core.urlresolvers import reverse
+from django.test import TestCase, RequestFactory
+from course_discovery.apps.api.views import api_docs_permission_denied_handler
+from course_discovery.apps.core.tests.factories import UserFactory
+@ddt.ddt
+class ApiDocsPermissionDeniedHandlerTests(TestCase):
+    def setUp(self):
+        super(ApiDocsPermissionDeniedHandlerTests, self).setUp()
+        self.request_path = '/'
+        self.request = RequestFactory().get(self.request_path)
+    def test_authenticated(self):
+        """ Verify the view raises `PermissionDenied` if the request is authenticated. """
+        user = UserFactory()
+        self.request.user = user
+        self.assertRaises(PermissionDenied, api_docs_permission_denied_handler, self.request)
+    @ddt.data(None, AnonymousUser())
+    def test_not_authenticated(self, user):
+        """ Verify the view redirects to the login page if the request is not authenticated. """
+        self.request.user = user
+        response = api_docs_permission_denied_handler(self.request)
+        expected_url = '{path}?next={next}'.format(path=reverse('login'), next=self.request_path)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, expected_url)
--- a/course_discovery/apps/api/views.py
+++ b/course_discovery/apps/api/views.py
+from django.core.exceptions import PermissionDenied
+from django.core.urlresolvers import reverse
+from django.shortcuts import redirect
+from django.utils.translation import ugettext as _
+def api_docs_permission_denied_handler(request):
+    """
+    Permission denied handler for calls to the API documentation.
+    Args:
+        request (Request): Original request to the view the documentation
+    Raises:
+        PermissionDenied: The user is not authorized to view the API documentation.
+    Returns:
+        HttpResponseRedirect: Redirect to the login page if the user is not logged in. After a
+            successful login, the user will be redirected back to the original path.
+    """
+    if request.user and request.user.is_authenticated():
+        raise PermissionDenied(_('You are not permitted to access the API documentation.'))
+    login_url = '{path}?next={next}'.format(path=reverse('login'), next=request.path)
+    return redirect(login_url, permanent=False)
--- a/course_discovery/settings/base.py
+++ b/course_discovery/settings/base.py
@@ -294,6 +294,8 @@ JWT_AUTH = {
 SWAGGER_SETTINGS = {
    'api_version': 'v1',
    'doc_expansion': 'list',
+    'is_authenticated': True,
+    'permission_denied_handler': 'course_discovery.apps.api.views.api_docs_permission_denied_handler'
 }
 ELASTICSEARCH_URL = 'http://127.0.0.1:9200/'