Merge pull request #16751 from edx/aj/stafF_entitlement_permissions

Updates to the API Endpoint to remove the Staff users ability to get all

Merge pull request #16751 from edx/aj/stafF_entitlement_permissions
Updates to the API Endpoint to remove the Staff users ability to get all
48c40cf0 · Albert (AJ) St. Aubin · GitHub · 141bee32 · dfa7b73a · 48c40cf0
Unverified Commit 48c40cf0 authored Dec 04, 2017 by Albert (AJ) St. Aubin Committed by GitHub Dec 04, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 6 deletions

common/djangoapps/entitlements/api/v1/tests/test_views.py
+4 -3

common/djangoapps/entitlements/api/v1/views.py
+14 -3

No files found.
--- a/common/djangoapps/entitlements/api/v1/tests/test_views.py
+++ b/common/djangoapps/entitlements/api/v1/tests/test_views.py
@@ -120,8 +120,9 @@ class EntitlementViewSetTest(ModuleStoreTestCase):
        results = response.data.get('results', [])  # pylint: disable=no-member
        assert results == CourseEntitlementSerializer([entitlement], many=True).data

-    def test_staff_get_all_entitlements(self):
-        entitlements = CourseEntitlementFactory.create_batch(2)
+    def test_staff_not_get_all_entitlements(self):
+        CourseEntitlementFactory.create_batch(2)
+        entitlement = CourseEntitlementFactory.create(user=self.user)

        response = self.client.get(
            self.entitlements_list_url,
@@ -130,7 +131,7 @@ class EntitlementViewSetTest(ModuleStoreTestCase):
        assert response.status_code == 200

        results = response.data.get('results', [])
-        assert results == CourseEntitlementSerializer(entitlements, many=True).data
+        assert results == CourseEntitlementSerializer([entitlement], many=True).data

    def test_get_user_entitlements(self):
        user2 = UserFactory()

--- a/common/djangoapps/entitlements/api/v1/views.py
+++ b/common/djangoapps/entitlements/api/v1/views.py
@@ -26,9 +26,20 @@ class EntitlementViewSet(viewsets.ModelViewSet):

    def get_queryset(self):
        user = self.request.user
-        if user.is_staff:
-            return CourseEntitlement.objects.all().select_related('user')
-        return CourseEntitlement.objects.filter(user=user).select_related('user')
+
+        if self.request.method in permissions.SAFE_METHODS:
+            if (user.is_staff and
+                    (self.request.query_params.get('user', None) is not None or
+                     self.kwargs.get('uuid', None) is not None)):
+                # Return the full query set so that the Filters class can be used to apply,
+                # - The UUID Filter
+                # - The User Filter to the GET request
+                return CourseEntitlement.objects.all().select_related('user')
+            # Non Staff Users will only be able to retrieve their own entitlements
+            return CourseEntitlement.objects.filter(user=user).select_related('user')
+        # All other methods require the full Query set and the Permissions class already restricts access to them
+        # to Admin users
+        return CourseEntitlement.objects.all().select_related('user')

    def perform_destroy(self, instance):
        """