Updated Refund create endpoint to allow any staff user to create a refund

ECOM-6539

Updated Refund create endpoint to allow any staff user to create a refund
ECOM-6539
c2e31350 · Clinton Blackburn · Clinton Blackburn · c74da2d7 · c2e31350 · c2e31350
Commit c2e31350 authored Jan 26, 2017 by Clinton Blackburn Committed by Clinton Blackburn Jan 27, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 15 deletions

ecommerce/extensions/api/permissions.py
+3 -3

ecommerce/extensions/api/tests/test_permissions.py
+6 -6

ecommerce/extensions/api/v2/tests/views/test_refunds.py
+6 -6

No files found.
--- a/ecommerce/extensions/api/permissions.py
+++ b/ecommerce/extensions/api/permissions.py
 from rest_framework import permissions
-class CanActForUser(permissions.BasePermission):
+class CanActForUser(permissions.IsAdminUser):
    """
    Allows access only if the user has permission to perform operations for the user represented by the username field
    in request.data.
    """
    def has_permission(self, request, view):
+        user = request.user
        username = request.data.get('username')
        if not username:
            return False
-        user = request.user
+        return super(CanActForUser, self).has_permission(request, view) or (user and user.username == username)
-        return user and (user.is_superuser or user.username == username)
 class IsOffersOrIsAuthenticatedAndStaff(permissions.BasePermission):

--- a/ecommerce/extensions/api/tests/test_permissions.py
+++ b/ecommerce/extensions/api/tests/test_permissions.py
@@ -23,19 +23,19 @@ class CanActForUserTests(PermissionsTestMixin, TestCase):
        request = self.get_request()
        self.assertFalse(self.permissions_class.has_permission(request, None))
-    def test_has_permission_superuser(self):
+    def test_has_permission_staff(self):
-        """ Return True if request.user is a superuser. """
+        """ Return True if request.user is a staff user. """
-        user = self.create_user(is_superuser=True)
+        user = self.create_user(is_staff=True)
-        # Data is required, even if you're a superuser.
+        # Data is required, even if you're a staff user.
        request = self.get_request(user=user)
        self.assertFalse(self.permissions_class.has_permission(request, None))
-        # Superusers can create their own refunds
+        # Staff can create their own refunds
        request = self.get_request(user=user, data={'username': user.username})
        self.assertTrue(self.permissions_class.has_permission(request, None))
-        # Superusers can create refunds for other users
+        # Staff can create refunds for other users
        request = self.get_request(user=user, data={'username': 'other_guy'})
        self.assertTrue(self.permissions_class.has_permission(request, None))

--- a/ecommerce/extensions/api/v2/tests/views/test_refunds.py
+++ b/ecommerce/extensions/api/v2/tests/views/test_refunds.py
@@ -70,8 +70,8 @@ class RefundCreateViewTests(RefundTestMixin, AccessTokenMixin, JwtMixin, TestCas
        """
        If no user matching the username is found, return HTTP 400.
        """
-        superuser = self.create_user(is_superuser=True)
+        staff_user = self.create_user(is_staff=True)
-        self.client.login(username=superuser.username, password=self.password)
+        self.client.login(username=staff_user.username, password=self.password)
        username = 'fakey-userson'
        data = self._get_data(username, self.course_id)
@@ -117,7 +117,7 @@ class RefundCreateViewTests(RefundTestMixin, AccessTokenMixin, JwtMixin, TestCas
        self.assert_ok_response(response)
    def test_authorization(self):
-        """ Client must be authenticated as the user matching the username field or a superuser. """
+        """ Client must be authenticated as the user matching the username field or a staff user. """
        # A normal user CANNOT create refunds for other users.
        self.client.login(username=self.user.username, password=self.password)
@@ -125,9 +125,9 @@ class RefundCreateViewTests(RefundTestMixin, AccessTokenMixin, JwtMixin, TestCas
        response = self.client.post(self.path, data, JSON_CONTENT_TYPE)
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-        # A superuser can create refunds for everyone.
+        # A staff user can create refunds for everyone.
-        superuser = self.create_user(is_superuser=True)
+        staff_user = self.create_user(is_staff=True)
-        self.client.login(username=superuser.username, password=self.password)
+        self.client.login(username=staff_user.username, password=self.password)
        data = self._get_data(self.user.username, self.course_id)
        response = self.client.post(self.path, data, JSON_CONTENT_TYPE)
        self.assert_ok_response(response)