Allow user API access in dev environments

This is achieved by allowing access if settings.DEBUG is True and settings.EDX_API_KEY is not set or None (which is true for dev.py)

Allow user API access in dev environments
This is achieved by allowing access if settings.DEBUG is True and settings.EDX_API_KEY is not set or None (which is true for dev.py)
6418a1cf · Greg Price · c6b51782 · 6418a1cf · 6418a1cf · 6418a1cf
Commit 6418a1cf authored Jul 25, 2013 by Greg Price
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 4 deletions

lms/djangoapps/user_api/tests/test_views.py
+10 -0

lms/djangoapps/user_api/views.py
+8 -3

lms/envs/dev.py
+1 -1

No files found.
--- a/lms/djangoapps/user_api/tests/test_views.py
+++ b/lms/djangoapps/user_api/tests/test_views.py
@@ -122,6 +122,11 @@ class UserViewSetTest(UserApiTestCase):
    def test_list_unauthorized(self):
        self.assertHttpForbidden(self.client.get(self.LIST_URI))

+    @override_settings(DEBUG=True)
+    @override_settings(EDX_API_KEY=None)
+    def test_debug_auth(self):
+        self.assertHttpOK(self.client.get(self.LIST_URI))
+
    def test_get_list_empty(self):
        User.objects.all().delete()
        result = self.get_json(self.LIST_URI)
@@ -220,6 +225,11 @@ class UserPreferenceViewSetTest(UserApiTestCase):
    def test_list_unauthorized(self):
        self.assertHttpForbidden(self.client.get(self.LIST_URI))

+    @override_settings(DEBUG=True)
+    @override_settings(EDX_API_KEY=None)
+    def test_debug_auth(self):
+        self.assertHttpOK(self.client.get(self.LIST_URI))
+
    def test_get_list_empty(self):
        UserPreference.objects.all().delete()
        result = self.get_json(self.LIST_URI)

--- a/lms/djangoapps/user_api/views.py
+++ b/lms/djangoapps/user_api/views.py
@@ -12,11 +12,16 @@ class ApiKeyHeaderPermission(permissions.BasePermission):
        """
        Check for permissions by matching the configured API key and header

-        settings.EDX_API_KEY must be set, and the X-Edx-Api-Key HTTP header must
-        be present in the request and match the setting.
+        If settings.DEBUG is True and settings.EDX_API_KEY is not set or None,
+        then allow the request. Otherwise, allow the request if and only if
+        settings.EDX_API_KEY is set and the X-Edx-Api-Key HTTP header is
+        present in the request and matches the setting.
        """
        api_key = getattr(settings, "EDX_API_KEY", None)
-        return api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key
+        return (
+            (settings.DEBUG and api_key is None) or
+            (api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key)
+        )


 class UserViewSet(viewsets.ReadOnlyModelViewSet):

--- a/lms/envs/dev.py
+++ b/lms/envs/dev.py
@@ -257,7 +257,7 @@ if SEGMENT_IO_LMS_KEY:


 ########################## USER API ########################
-EDX_API_KEY = ''
+EDX_API_KEY = None

 #####################################################################
 # Lastly, see if the developer has any local overrides.