Removed IsAuthenticatedOrDebug

IsAuthenticatedOrDebug hides potential issues with API client code that is run in local environments and later deployed to production where authentication fails. XCOM-193

Removed IsAuthenticatedOrDebug
IsAuthenticatedOrDebug hides potential issues with API client code that is run in local environments and later deployed to production where authentication fails. XCOM-193
2da42d5e · Clinton Blackburn · a7e49c21 · 2da42d5e · 2da42d5e · 2da42d5e
Commit 2da42d5e authored Jun 10, 2015 by Clinton Blackburn
Showing with 6 additions and 38 deletions

lms/djangoapps/course_structure_api/v0/tests.py
+1 -21

lms/djangoapps/course_structure_api/v0/views.py
+2 -2

openedx/core/lib/api/permissions.py
+0 -13

openedx/core/lib/api/view_utils.py
+3 -2

No files found.
--- a/lms/djangoapps/course_structure_api/v0/tests.py
+++ b/lms/djangoapps/course_structure_api/v0/tests.py
@@ -156,11 +156,7 @@ class CourseDetailMixin(object):
        return response

    def test_not_authenticated(self):
-        # If debug mode is enabled, the view should always return data.
-        with override_settings(DEBUG=True):
-            response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}), HTTP_AUTHORIZATION=None)
-            self.assertEqual(response.status_code, 200)
-
+        """ The view should return HTTP status 401 if no user is authenticated. """
        # HTTP 401 should be returned if the user is not authenticated.
        response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}), HTTP_AUTHORIZATION=None)
        self.assertEqual(response.status_code, 401)
@@ -170,12 +166,6 @@ class CourseDetailMixin(object):
        access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
        auth_header = 'Bearer ' + access_token

-        # If debug mode is enabled, the view should always return data.
-        with override_settings(DEBUG=True):
-            response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}),
-                                     HTTP_AUTHORIZATION=auth_header)
-            self.assertEqual(response.status_code, 200)
-
        # Access should be granted if the proper access token is supplied.
        response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}),
                                 HTTP_AUTHORIZATION=auth_header)
@@ -231,11 +221,6 @@ class CourseListTests(CourseViewTestsMixin, ModuleStoreTestCase):
        self.assertValidResponseCourse(courses[0], self.course)

    def test_not_authenticated(self):
-        # If debug mode is enabled, the view should always return data.
-        with override_settings(DEBUG=True):
-            response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=None)
-            self.assertEqual(response.status_code, 200)
-
        response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=None)
        self.assertEqual(response.status_code, 401)

@@ -247,11 +232,6 @@ class CourseListTests(CourseViewTestsMixin, ModuleStoreTestCase):
        access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
        auth_header = 'Bearer ' + access_token

-        # If debug mode is enabled, the view should always return data.
-        with override_settings(DEBUG=True):
-            response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header)
-            self.assertEqual(response.status_code, 200)
-
        # Data should be returned if the user is authorized.
        response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)

--- a/lms/djangoapps/course_structure_api/v0/views.py
+++ b/lms/djangoapps/course_structure_api/v0/views.py
@@ -7,6 +7,7 @@ from django.http import Http404
 from rest_framework.authentication import OAuth2Authentication, SessionAuthentication
 from rest_framework.exceptions import PermissionDenied, AuthenticationFailed
 from rest_framework.generics import RetrieveAPIView, ListAPIView
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from xmodule.modulestore.django import modulestore
 from opaque_keys.edx.keys import CourseKey
@@ -15,7 +16,6 @@ from course_structure_api.v0 import api, serializers
 from course_structure_api.v0.errors import CourseNotFoundError, CourseStructureNotAvailableError
 from courseware import courses
 from courseware.access import has_access
-from openedx.core.lib.api.permissions import IsAuthenticatedOrDebug
 from openedx.core.lib.api.serializers import PaginationSerializer
 from student.roles import CourseInstructorRole, CourseStaffRole

@@ -29,7 +29,7 @@ class CourseViewMixin(object):
    """
    lookup_field = 'course_id'
    authentication_classes = (OAuth2Authentication, SessionAuthentication,)
-    permission_classes = (IsAuthenticatedOrDebug,)
+    permission_classes = (IsAuthenticated,)

    def get_course_or_404(self):
        """

--- a/openedx/core/lib/api/permissions.py
+++ b/openedx/core/lib/api/permissions.py
@@ -35,19 +35,6 @@ class ApiKeyHeaderPermissionIsAuthenticated(ApiKeyHeaderPermission, permissions.
        return api_permissions or is_authenticated_permissions


-class IsAuthenticatedOrDebug(permissions.BasePermission):
-    """
-    Allows access only to authenticated users, or anyone if debug mode is enabled.
-    """
-
-    def has_permission(self, request, view):
-        if settings.DEBUG:
-            return True
-
-        user = getattr(request, 'user', None)
-        return user and user.is_authenticated()
-
-
 class IsUserInUrl(permissions.BasePermission):
    """
    Permission that checks to see if the request user matches the user in the URL.

--- a/openedx/core/lib/api/view_utils.py
+++ b/openedx/core/lib/api/view_utils.py
@@ -8,6 +8,7 @@ from django.utils.translation import ugettext as _

 from rest_framework import status, response
 from rest_framework.exceptions import APIException
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.mixins import RetrieveModelMixin, UpdateModelMixin
 from rest_framework.generics import GenericAPIView
@@ -20,7 +21,7 @@ from openedx.core.lib.api.authentication import (
    SessionAuthenticationAllowInactiveUser,
    OAuth2AuthenticationAllowInactiveUser,
 )
-from openedx.core.lib.api.permissions import IsUserInUrl, IsAuthenticatedOrDebug
+from openedx.core.lib.api.permissions import IsUserInUrl
 from util.milestones_helpers import any_unfulfilled_milestones


@@ -131,7 +132,7 @@ def view_auth_classes(is_user=False):
            OAuth2AuthenticationAllowInactiveUser,
            SessionAuthenticationAllowInactiveUser
        )
-        func_or_class.permission_classes = (IsAuthenticatedOrDebug,)
+        func_or_class.permission_classes = (IsAuthenticated,)
        if is_user:
            func_or_class.permission_classes += (IsUserInUrl,)
        return func_or_class