updated people api create to use group authentication

course_discovery/apps/api/v1/tests/test_views/test_people.py

 # pylint: disable=redefined-builtin,no-member
 import ddt
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Group
 from django.db import IntegrityError
 from mock import mock
 from rest_framework.reverse import reverse
@@ -15,6 +16,8 @@ from course_discovery.apps.course_metadata.models import Person
 from course_discovery.apps.course_metadata.people import MarketingSitePeople
 from course_discovery.apps.course_metadata.tests import toggle_switch
 from course_discovery.apps.course_metadata.tests.factories import OrganizationFactory, PersonFactory, PositionFactory
+from course_discovery.apps.publisher.constants import INTERNAL_USER_GROUP_NAME
+from course_discovery.apps.publisher.permissions import logger as permission_logger
 
 User = get_user_model()
 
@@ -27,6 +30,7 @@ class PersonViewSetTests(SerializationMixin, SiteMixin, APITestCase):
     def setUp(self):
         super(PersonViewSetTests, self).setUp()
         self.user = UserFactory(is_staff=True, is_superuser=True)
+        self.user.groups.add(Group.objects.get(name=INTERNAL_USER_GROUP_NAME))
         self.client.force_authenticate(self.user)
         self.person = PersonFactory(partner=self.partner)
         self.organization = OrganizationFactory(partner=self.partner)
@@ -111,6 +115,23 @@ class PersonViewSetTests(SerializationMixin, SiteMixin, APITestCase):
         self.assertEqual(response.status_code, 403)
         self.assertEqual(Person.objects.count(), 0)
 
+    def test_create_without_group(self):
+        """ Verify group is required when creating a person. """
+        self.user.groups.remove(Group.objects.get(name=INTERNAL_USER_GROUP_NAME))
+        current_people_count = Person.objects.count()
+
+        with LogCapture(permission_logger.name) as log_capture:
+            response = self.client.post(self.people_list_url, {}, format='json')
+            self.assertEqual(response.status_code, 403)
+            self.assertEqual(Person.objects.count(), current_people_count)
+            log_capture.check(
+                (
+                    permission_logger.name,
+                    'INFO',
+                    'Permission denied. User [{}] has no groups'.format(self.user.username),
+                )
+            )
+
     def test_get(self):
         """ Verify the endpoint returns the details for a single person. """
         url = reverse('api:v1:person-detail', kwargs={'uuid': self.person.uuid})

course_discovery/apps/api/v1/views/people.py

@@ -8,9 +8,9 @@ from rest_framework.response import Response
 
 from course_discovery.apps.api import filters, serializers
 from course_discovery.apps.api.pagination import PageNumberPagination
-
 from course_discovery.apps.course_metadata.exceptions import MarketingSiteAPIClientException, PersonToMarketingException
 from course_discovery.apps.course_metadata.people import MarketingSitePeople
+from course_discovery.apps.publisher.permissions import UserHasGroup
 
 logger = logging.getLogger(__name__)
 
@@ -23,7 +23,7 @@ class PersonViewSet(viewsets.ModelViewSet):
     filter_class = filters.PersonFilter
     lookup_field = 'uuid'
     lookup_value_regex = '[0-9a-f-]+'
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, UserHasGroup,)
     queryset = serializers.PersonSerializer.prefetch_queryset()
     serializer_class = serializers.PersonSerializer
     pagination_class = PageNumberPagination

course_discovery/apps/publisher/permissions.py

+import logging
+
+from rest_framework import permissions
+
+logger = logging.getLogger(__name__)
+
+
+class UserHasGroup(permissions.BasePermission):
+    """
+    Global permission to check if request.user has any group
+    """
+    def has_permission(self, request, view):
+        if request.user.groups.all():
+            return True
+        logger.info('Permission denied. User [%s] has no groups', request.user.username)
+        return False