Add staff permission on discovery people API.

e92a351c · attiyaishaque · Attiya Ishaque · 3d356173 · e92a351c · e92a351c
Commit e92a351c authored Jun 27, 2018 by attiyaishaque Committed by Attiya Ishaque Jun 29, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 35 additions and 5 deletions

course_discovery/apps/api/permissions.py
+11 -0

course_discovery/apps/api/v1/tests/test_views/test_people.py
+22 -4

course_discovery/apps/api/v1/views/people.py
+2 -1

No files found.
--- a/course_discovery/apps/api/permissions.py
+++ b/course_discovery/apps/api/permissions.py
+from rest_framework.permissions import BasePermission
+
+
+class ReadByStaffOnly(BasePermission):
+    """
+    Custom permission to only allow owners of the object.
+    """
+    def has_permission(self, request, view):
+        if request.method == 'GET':
+                return request.user.is_staff
+        return True
--- a/course_discovery/apps/api/v1/tests/test_views/test_people.py
+++ b/course_discovery/apps/api/v1/tests/test_views/test_people.py
@@ -6,6 +6,7 @@ from mock import mock
 from rest_framework.reverse import reverse
 from testfixtures import LogCapture

+from course_discovery.apps.api.permissions import ReadByStaffOnly
 from course_discovery.apps.api.v1.tests.test_views.mixins import APITestCase, SerializationMixin
 from course_discovery.apps.api.v1.views.people import logger as people_logger
 from course_discovery.apps.core.tests.factories import USER_PASSWORD, UserFactory
@@ -27,6 +28,7 @@ class PersonViewSetTests(SerializationMixin, APITestCase):
        self.target_permissions = Permission.objects.filter(
            codename__in=['add_person', 'change_person', 'delete_person']
        )
+        self.permisson_class = ReadByStaffOnly()
        internal_test_group = Group.objects.create(name='internal-test')
        internal_test_group.permissions.add(*self.target_permissions)
        self.user.groups.add(internal_test_group)
@@ -125,10 +127,17 @@ class PersonViewSetTests(SerializationMixin, APITestCase):
        assert response.status_code == 403
        assert Person.objects.count() == current_people_count

-    def test_get(self):
-        """ Verify the endpoint returns the details for a single person. """
+    def test_get_single_person_without_staff_access(self):
+        """ Verify the endpoint shows permission error for the details for a single person. """
        url = reverse('api:v1:person-detail', kwargs={'uuid': self.person.uuid})
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)

+    def test_get_single_person_with_staff_access(self):
+        """ Verify the endpoint returns the details for a single person. """
+        url = reverse('api:v1:person-detail', kwargs={'uuid': self.person.uuid})
+        self.user.is_staff = True
+        self.user.save()
        response = self.client.get(url)
        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.data, self.serialize_person(self.person))
@@ -140,16 +149,25 @@ class PersonViewSetTests(SerializationMixin, APITestCase):
        response = self.client.get(url)
        self.assertEqual(response.status_code, 403)

-    def test_list(self):
-        """ Verify the endpoint returns a list of all people. """
+    def test_list_with_staff_user(self):
+        """ Verify the endpoint returns a list of all people with the staff user accesss """
+        self.user.is_staff = True
+        self.user.save()
        response = self.client.get(self.people_list_url)
        self.assertEqual(response.status_code, 200)
        self.assertListEqual(response.data['results'], self.serialize_person(Person.objects.all(), many=True))

+    def test_list_without_staff_user(self):
+        """ Verify the endpoint shows permission error when non-staff user acccessed """
+        response = self.client.get(self.people_list_url)
+        self.assertEqual(response.status_code, 403)
+
    def test_list_filter_by_slug(self):
        """ Verify the endpoint allows people to be filtered by slug. """
        person = PersonFactory()
        url = '{root}?slug={slug}'.format(root=self.people_list_url, slug=person.slug)
+        self.user.is_staff = True
+        self.user.save()
        response = self.client.get(url)
        self.assertEqual(response.status_code, 200)
        self.assertListEqual(response.data['results'], self.serialize_person([person], many=True))

--- a/course_discovery/apps/api/v1/views/people.py
+++ b/course_discovery/apps/api/v1/views/people.py
@@ -8,6 +8,7 @@ from rest_framework.response import Response

 from course_discovery.apps.api import filters, serializers
 from course_discovery.apps.api.pagination import PageNumberPagination
+from course_discovery.apps.api.permissions import ReadByStaffOnly
 from course_discovery.apps.course_metadata.exceptions import MarketingSiteAPIClientException, PersonToMarketingException
 from course_discovery.apps.course_metadata.people import MarketingSitePeople

@@ -22,7 +23,7 @@ class PersonViewSet(viewsets.ModelViewSet):
    filter_class = filters.PersonFilter
    lookup_field = 'uuid'
    lookup_value_regex = '[0-9a-f-]+'
-    permission_classes = (DjangoModelPermissions,)
+    permission_classes = (DjangoModelPermissions, ReadByStaffOnly,)
    queryset = serializers.PersonSerializer.prefetch_queryset()
    serializer_class = serializers.PersonSerializer
    pagination_class = PageNumberPagination