Skip to content

C
course-discovery
Commit cf1dad56 by Attiya Ishaque
Options

Revert "Add staff permission on discovery people API." 

This reverts commit e92a351c.
parent e92a351c
Showing with 5 additions and 35 deletions
course_discovery/apps/api/permissions.py deleted 100644 → 0
from rest_framework.permissions import BasePermission
class ReadByStaffOnly(BasePermission):
"""
Custom permission to only allow owners of the object.
"""
def has_permission(self, request, view):
if request.method == 'GET':
return request.user.is_staff
return True
course_discovery/apps/api/v1/tests/test_views/test_people.py
...@@ -6,7 +6,6 @@ from mock import mock ...@@ -6,7 +6,6 @@ from mock import mock
from rest_framework.reverse import reverse from rest_framework.reverse import reverse
from testfixtures import LogCapture from testfixtures import LogCapture
from course_discovery.apps.api.permissions import ReadByStaffOnly
from course_discovery.apps.api.v1.tests.test_views.mixins import APITestCase, SerializationMixin from course_discovery.apps.api.v1.tests.test_views.mixins import APITestCase, SerializationMixin
from course_discovery.apps.api.v1.views.people import logger as people_logger from course_discovery.apps.api.v1.views.people import logger as people_logger
from course_discovery.apps.core.tests.factories import USER_PASSWORD, UserFactory from course_discovery.apps.core.tests.factories import USER_PASSWORD, UserFactory
...@@ -28,7 +27,6 @@ class PersonViewSetTests(SerializationMixin, APITestCase): ...@@ -28,7 +27,6 @@ class PersonViewSetTests(SerializationMixin, APITestCase):
self.target_permissions = Permission.objects.filter( self.target_permissions = Permission.objects.filter(
codename__in=['add_person', 'change_person', 'delete_person'] codename__in=['add_person', 'change_person', 'delete_person']
) )
self.permisson_class = ReadByStaffOnly()
internal_test_group = Group.objects.create(name='internal-test') internal_test_group = Group.objects.create(name='internal-test')
internal_test_group.permissions.add(*self.target_permissions) internal_test_group.permissions.add(*self.target_permissions)
self.user.groups.add(internal_test_group) self.user.groups.add(internal_test_group)
...@@ -127,17 +125,10 @@ class PersonViewSetTests(SerializationMixin, APITestCase): ...@@ -127,17 +125,10 @@ class PersonViewSetTests(SerializationMixin, APITestCase):
assert response.status_code == 403 assert response.status_code == 403
assert Person.objects.count() == current_people_count assert Person.objects.count() == current_people_count
def test_get_single_person_without_staff_access(self): def test_get(self):
""" Verify the endpoint shows permission error for the details for a single person. """
url = reverse('api:v1:person-detail', kwargs={'uuid': self.person.uuid})
response = self.client.get(url)
self.assertEqual(response.status_code, 403)
def test_get_single_person_with_staff_access(self):
""" Verify the endpoint returns the details for a single person. """ """ Verify the endpoint returns the details for a single person. """
url = reverse('api:v1:person-detail', kwargs={'uuid': self.person.uuid}) url = reverse('api:v1:person-detail', kwargs={'uuid': self.person.uuid})
self.user.is_staff = True
self.user.save()
response = self.client.get(url) response = self.client.get(url)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
self.assertEqual(response.data, self.serialize_person(self.person)) self.assertEqual(response.data, self.serialize_person(self.person))
...@@ -149,25 +140,16 @@ class PersonViewSetTests(SerializationMixin, APITestCase): ...@@ -149,25 +140,16 @@ class PersonViewSetTests(SerializationMixin, APITestCase):
response = self.client.get(url) response = self.client.get(url)
self.assertEqual(response.status_code, 403) self.assertEqual(response.status_code, 403)
def test_list_with_staff_user(self): def test_list(self):
""" Verify the endpoint returns a list of all people with the staff user accesss """ """ Verify the endpoint returns a list of all people. """
self.user.is_staff = True
self.user.save()
response = self.client.get(self.people_list_url) response = self.client.get(self.people_list_url)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
self.assertListEqual(response.data['results'], self.serialize_person(Person.objects.all(), many=True)) self.assertListEqual(response.data['results'], self.serialize_person(Person.objects.all(), many=True))
def test_list_without_staff_user(self):
""" Verify the endpoint shows permission error when non-staff user acccessed """
response = self.client.get(self.people_list_url)
self.assertEqual(response.status_code, 403)
def test_list_filter_by_slug(self): def test_list_filter_by_slug(self):
""" Verify the endpoint allows people to be filtered by slug. """ """ Verify the endpoint allows people to be filtered by slug. """
person = PersonFactory() person = PersonFactory()
url = '{root}?slug={slug}'.format(root=self.people_list_url, slug=person.slug) url = '{root}?slug={slug}'.format(root=self.people_list_url, slug=person.slug)
self.user.is_staff = True
self.user.save()
response = self.client.get(url) response = self.client.get(url)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
self.assertListEqual(response.data['results'], self.serialize_person([person], many=True)) self.assertListEqual(response.data['results'], self.serialize_person([person], many=True))
......
course_discovery/apps/api/v1/views/people.py
...@@ -8,7 +8,6 @@ from rest_framework.response import Response ...@@ -8,7 +8,6 @@ from rest_framework.response import Response
from course_discovery.apps.api import filters, serializers from course_discovery.apps.api import filters, serializers
from course_discovery.apps.api.pagination import PageNumberPagination from course_discovery.apps.api.pagination import PageNumberPagination
from course_discovery.apps.api.permissions import ReadByStaffOnly
from course_discovery.apps.course_metadata.exceptions import MarketingSiteAPIClientException, PersonToMarketingException from course_discovery.apps.course_metadata.exceptions import MarketingSiteAPIClientException, PersonToMarketingException
from course_discovery.apps.course_metadata.people import MarketingSitePeople from course_discovery.apps.course_metadata.people import MarketingSitePeople
...@@ -23,7 +22,7 @@ class PersonViewSet(viewsets.ModelViewSet): ...@@ -23,7 +22,7 @@ class PersonViewSet(viewsets.ModelViewSet):
filter_class = filters.PersonFilter filter_class = filters.PersonFilter
lookup_field = 'uuid' lookup_field = 'uuid'
lookup_value_regex = '[0-9a-f-]+' lookup_value_regex = '[0-9a-f-]+'
permission_classes = (DjangoModelPermissions, ReadByStaffOnly,) permission_classes = (DjangoModelPermissions,)
queryset = serializers.PersonSerializer.prefetch_queryset() queryset = serializers.PersonSerializer.prefetch_queryset()
serializer_class = serializers.PersonSerializer serializer_class = serializers.PersonSerializer
pagination_class = PageNumberPagination pagination_class = PageNumberPagination
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment