Added permissions to the Affiliate Window viewset

The same permissions for the catalog endpoint are now enforced for the Affiliate Window endpoint.

ECOM-4481

course_discovery/apps/api/v1/tests/test_views/test_affiliate_window.py

@@ -20,6 +20,7 @@ from course_discovery.apps.course_metadata.tests.factories import CourseRunFacto
 @ddt.ddt
 class AffiliateWindowViewSetTests(ElasticsearchTestMixin, SerializationMixin, APITestCase):
     """ Tests for the AffiliateWindowViewSet. """
+
     def setUp(self):
         super(AffiliateWindowViewSetTests, self).setUp()
         self.user = UserFactory()
@@ -110,3 +111,23 @@ class AffiliateWindowViewSetTests(ElasticsearchTestMixin, SerializationMixin, AP
 
         root = etree.XML(response.content)
         self.assertTrue(dtd.validate(root))
+
+    def test_permissions(self):
+        """ Verify only users with the appropriate permissions can access the endpoint. """
+        catalog = CatalogFactory()
+        superuser = UserFactory(is_superuser=True)
+        url = reverse('api:v1:partners:affiliate_window-detail', kwargs={'pk': catalog.id})
+
+        # Superusers can view all catalogs
+        self.client.force_authenticate(superuser)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+
+        # Regular users can only view catalogs belonging to them
+        self.client.force_authenticate(self.user)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)
+
+        catalog.viewers = [self.user]
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)

course_discovery/apps/api/v1/views.py

@@ -9,6 +9,7 @@ from dry_rest_permissions.generics import DRYPermissions
 from edx_rest_framework_extensions.permissions import IsSuperuser
 from rest_framework import status, viewsets
 from rest_framework.decorators import detail_route, list_route
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
@@ -279,9 +280,13 @@ class AffiliateWindowViewSet(viewsets.ViewSet):
         """
 
         catalog = get_object_or_404(Catalog, pk=pk)
-        queryset = catalog.courses().active()
+
+        if not catalog.has_object_read_permission(request):
+            raise PermissionDenied
+
+        courses = catalog.courses().active()
         seats = Seat.objects.filter(
-            course_run__course__in=queryset, type__in=[Seat.VERIFIED, Seat.PROFESSIONAL]
+            course_run__course__in=courses, type__in=[Seat.VERIFIED, Seat.PROFESSIONAL]
         )
 
         serializer = AffiliateWindowSerializer(seats, many=True)