Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
E
edx-platform
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
edx
edx-platform
Commits
01f0e2e3
Commit
01f0e2e3
authored
Dec 04, 2015
by
Clinton Blackburn
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #10824 from edx/clintonb/credit-auth-fix
Corrected permission class and test
parents
9401beb8
c9088071
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
13 additions
and
2 deletions
+13
-2
openedx/core/djangoapps/credit/tests/test_views.py
+12
-1
openedx/core/lib/api/permissions.py
+1
-1
No files found.
openedx/core/djangoapps/credit/tests/test_views.py
View file @
01f0e2e3
...
@@ -660,7 +660,18 @@ class CreditEligibilityViewTests(AuthMixin, UserMixin, ReadOnlyMixin, TestCase):
...
@@ -660,7 +660,18 @@ class CreditEligibilityViewTests(AuthMixin, UserMixin, ReadOnlyMixin, TestCase):
def
test_nonstaff_can_only_view_own_data
(
self
):
def
test_nonstaff_can_only_view_own_data
(
self
):
""" Verify that non-staff users can only view their own eligibility data. """
""" Verify that non-staff users can only view their own eligibility data. """
user
=
UserFactory
(
password
=
self
.
password
)
user
=
UserFactory
(
password
=
self
.
password
)
eligibility
=
CreditEligibilityFactory
(
username
=
user
.
username
)
url
=
self
.
create_url
(
eligibility
)
# Verify user can view own data
self
.
client
.
logout
()
self
.
client
.
logout
()
self
.
client
.
login
(
username
=
user
.
username
,
password
=
self
.
password
)
self
.
client
.
login
(
username
=
user
.
username
,
password
=
self
.
password
)
response
=
self
.
client
.
get
(
self
.
path
)
response
=
self
.
client
.
get
(
url
)
self
.
assertEqual
(
response
.
status_code
,
200
)
# User should not be able to view data for other users.
alt_user
=
UserFactory
(
password
=
self
.
password
)
alt_eligibility
=
CreditEligibilityFactory
(
username
=
alt_user
.
username
)
url
=
self
.
create_url
(
alt_eligibility
)
response
=
self
.
client
.
get
(
url
)
self
.
assertEqual
(
response
.
status_code
,
403
)
self
.
assertEqual
(
response
.
status_code
,
403
)
openedx/core/lib/api/permissions.py
View file @
01f0e2e3
...
@@ -92,4 +92,4 @@ class IsStaffOrOwner(permissions.BasePermission):
...
@@ -92,4 +92,4 @@ class IsStaffOrOwner(permissions.BasePermission):
def
has_permission
(
self
,
request
,
view
):
def
has_permission
(
self
,
request
,
view
):
user
=
request
.
user
user
=
request
.
user
return
user
.
is_staff
or
(
user
.
username
==
request
.
data
.
get
(
'username'
))
return
user
.
is_staff
or
(
user
.
username
==
request
.
GET
.
get
(
'username'
))
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
