Skip to content

E
edx-platform
Commit b44864b3 by Douglas Hall Committed by Marko Jevtic
Options

Check API View kwargs for username when checking for staff or owner permission

parent 7849d2d9
Showing with 21 additions and 1 deletions
openedx/core/lib/api/permissions.py
...@@ -156,4 +156,5 @@ class IsStaffOrOwner(permissions.BasePermission): ...@@ -156,4 +156,5 @@ class IsStaffOrOwner(permissions.BasePermission):
user = request.user user = request.user
return user.is_staff \ return user.is_staff \
or (user.username == request.GET.get('username')) \ or (user.username == request.GET.get('username')) \
or (user.username == getattr(request, 'data', {}).get('username')) or (user.username == getattr(request, 'data', {}).get('username')) \
or (user.username == getattr(view, 'kwargs', {}).get('username'))
openedx/core/lib/api/tests/test_permissions.py
...@@ -5,6 +5,7 @@ from django.contrib.auth.models import AnonymousUser ...@@ -5,6 +5,7 @@ from django.contrib.auth.models import AnonymousUser
from django.http import Http404 from django.http import Http404
from django.test import TestCase, RequestFactory from django.test import TestCase, RequestFactory
from nose.plugins.attrib import attr from nose.plugins.attrib import attr
from rest_framework.generics import GenericAPIView
from student.roles import CourseStaffRole, CourseInstructorRole from student.roles import CourseStaffRole, CourseInstructorRole
from openedx.core.lib.api.permissions import ( from openedx.core.lib.api.permissions import (
...@@ -159,6 +160,15 @@ class IsStaffOrOwnerTests(TestCase): ...@@ -159,6 +160,15 @@ class IsStaffOrOwnerTests(TestCase):
request.user = user request.user = user
self.assertTrue(self.permission.has_permission(request, None)) self.assertTrue(self.permission.has_permission(request, None))
def test_has_permission_with_view_kwargs_as_owner_with_get(self):
""" Owners always have permission to make GET actions. """
user = UserFactory.create()
request = RequestFactory().get('/')
request.user = user
view = GenericAPIView()
view.kwargs = {'username': user.username}
self.assertTrue(self.permission.has_permission(request, view))
@ddt.data('patch', 'post', 'put') @ddt.data('patch', 'post', 'put')
def test_has_permission_as_owner_with_edit(self, action): def test_has_permission_as_owner_with_edit(self, action):
""" Owners always have permission to edit. """ """ Owners always have permission to edit. """
...@@ -176,3 +186,12 @@ class IsStaffOrOwnerTests(TestCase): ...@@ -176,3 +186,12 @@ class IsStaffOrOwnerTests(TestCase):
request = RequestFactory().get('/?username={}'.format(user.username)) request = RequestFactory().get('/?username={}'.format(user.username))
request.user = UserFactory.create() request.user = UserFactory.create()
self.assertFalse(self.permission.has_permission(request, None)) self.assertFalse(self.permission.has_permission(request, None))
def test_has_permission_with_view_kwargs_as_non_owner(self):
""" Non-owners should not have permission. """
user = UserFactory.create()
request = RequestFactory().get('/')
request.user = user
view = GenericAPIView()
view.kwargs = {'username': UserFactory.create().username}
self.assertFalse(self.permission.has_permission(request, view))
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment