mattdrayer/api-session-del-user-check: Guard against some negative cases

lms/djangoapps/api_manager/sessions/test_login_ratelimit.py

@@ -16,6 +16,7 @@ from django.test.utils import override_settings
 from django.utils.translation import ugettext as _
 from django.core.cache import cache
 from student.tests.factories import UserFactory
+from student.models import UserProfile
 
 TEST_API_KEY = str(uuid.uuid4())
 
@@ -34,6 +35,9 @@ class SessionApiRateLimitingProtectionTest(TestCase):
         self.user = UserFactory.build(username='test', email='test@edx.org')
         self.user.set_password('test_password')
         self.user.save()
+        profile = UserProfile(user=self.user)
+        profile.city = 'Boston'
+        profile.save()
 
         # Create the test client
         self.client = Client()

lms/djangoapps/api_manager/sessions/test_security.py

@@ -14,6 +14,7 @@ from django.test.client import Client
 from django.test.utils import override_settings
 from django.utils.translation import ugettext as _
 from django.core.cache import cache
+from student.models import UserProfile
 from student.tests.factories import UserFactory
 
 TEST_API_KEY = str(uuid.uuid4())
@@ -35,6 +36,9 @@ class SessionApiSecurityTest(TestCase):
         self.user = UserFactory.build(username='test', email='test@edx.org')
         self.user.set_password('test_password')
         self.user.save()
+        profile = UserProfile(user=self.user)
+        profile.city = 'Boston'
+        profile.save()
 
         # Create the test client
         self.client = Client()

lms/djangoapps/api_manager/sessions/tests.py

@@ -151,3 +151,8 @@ class SessionsApiTests(TestCase):
         self.assertEqual(response.status_code, 204)
         response = self.do_get(test_uri)
         self.assertEqual(response.status_code, 404)
+
+    def test_session_detail_delete_invalid_session(self):
+        test_uri = self.base_sessions_uri + "214viouadblah124324blahblah"
+        response = self.do_delete(test_uri)
+        self.assertEqual(response.status_code, 204)

lms/djangoapps/api_manager/sessions/views.py

@@ -29,7 +29,7 @@ class SessionsList(SecureAPIView):
     """
     **Use Case**
 
-        SessionsList creates a new session with the edX LMS. 
+        SessionsList creates a new session with the edX LMS.
 
     **Example Request**
 
@@ -137,7 +137,7 @@ class SessionsDetail(SecureAPIView):
         * token: A unique token value for the session.
         * expires: The number of seconds until the session expires.
         * user_id: The unique user identifier.
-        * uri: The URI to use to get details about the session.     
+        * uri: The URI to use to get details about the session.
     """
 
     def get(self, request, session_id):
@@ -162,11 +162,13 @@ class SessionsDetail(SecureAPIView):
             return Response(response_data, status=status.HTTP_404_NOT_FOUND)
 
     def delete(self, request, session_id):
-        response_data = {}
         engine = import_module(settings.SESSION_ENGINE)
         session = engine.SessionStore(session_id)
+        if session is None or not SESSION_KEY in session:
+            return Response({}, status=status.HTTP_204_NO_CONTENT)
         user_id = session[SESSION_KEY]
-        AUDIT_LOG.info(u"API::User session terminated for user-id - {0}".format(user_id))
         session.flush()
-        logout(request)
-        return Response(response_data, status=status.HTTP_204_NO_CONTENT)
+        if request.user is not None and not request.user.is_anonymous():
+            logout(request)
+        AUDIT_LOG.info(u"API::User session terminated for user-id - {0}".format(user_id))
+        return Response({}, status=status.HTTP_204_NO_CONTENT)