Using JWT scope permissions to secure the Catalog API endpoints

ECOM-5006

course_discovery/apps/api/v1/views/catalogs.py

@@ -3,6 +3,7 @@ import datetime
 from django.db import transaction
 from django.http import HttpResponse
 from dry_rest_permissions.generics import DRYPermissions
+from edx_rest_framework_extensions.permissions import JwtScopePermissions
 from rest_framework import status, viewsets
 from rest_framework.decorators import detail_route
 from rest_framework.response import Response
@@ -21,7 +22,7 @@ class CatalogViewSet(viewsets.ModelViewSet):
 
     filter_backends = (filters.PermissionsFilter,)
     lookup_field = 'id'
-    permission_classes = (DRYPermissions,)
+    permission_classes = (DRYPermissions, JwtScopePermissions,)
     queryset = Catalog.objects.all()
     serializer_class = serializers.CatalogSerializer
 

course_discovery/settings/base.py

@@ -321,8 +321,8 @@ LOGGING = {
 REST_FRAMEWORK = {
     'DEFAULT_AUTHENTICATION_CLASSES': (
         'rest_framework.authentication.SessionAuthentication',
-        'edx_rest_framework_extensions.authentication.BearerAuthentication',
         'edx_rest_framework_extensions.authentication.JwtAuthentication',
+        'edx_rest_framework_extensions.authentication.BearerAuthentication',
         'rest_framework.authentication.BasicAuthentication',
     ),
     'DEFAULT_PAGINATION_CLASS': 'course_discovery.apps.api.pagination.PageNumberPagination',

requirements/base.txt

@@ -34,7 +34,7 @@ edx-auth-backends==1.1.2
 edx-ccx-keys==0.2.0
 edx-django-release-util==0.3.1
 edx-django-sites-extensions==2.3.0
-edx-drf-extensions==1.2.3
+git+https://github.com/edx/edx-drf-extensions.git@clintonb/jwt-scopes#egg=edx-drf-extensions==1.3.0
 edx-opaque-keys==0.3.1
 edx-rest-api-client==1.6.0
 elasticsearch>=1.0.0,<2.0.0