Check API View kwargs for username when checking for staff or owner permission

b44864b3 · Douglas Hall · Marko Jevtic · 7849d2d9 · b44864b3 · b44864b3
Commit b44864b3 authored Dec 27, 2016 by Douglas Hall Committed by Marko Jevtic Jan 11, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 1 deletions

openedx/core/lib/api/permissions.py
+2 -1

openedx/core/lib/api/tests/test_permissions.py
+19 -0

No files found.
--- a/openedx/core/lib/api/permissions.py
+++ b/openedx/core/lib/api/permissions.py
@@ -156,4 +156,5 @@ class IsStaffOrOwner(permissions.BasePermission):
        user = request.user
        return user.is_staff \
            or (user.username == request.GET.get('username')) \
-            or (user.username == getattr(request, 'data', {}).get('username'))
+            or (user.username == getattr(request, 'data', {}).get('username')) \
+            or (user.username == getattr(view, 'kwargs', {}).get('username'))
--- a/openedx/core/lib/api/tests/test_permissions.py
+++ b/openedx/core/lib/api/tests/test_permissions.py
@@ -5,6 +5,7 @@ from django.contrib.auth.models import AnonymousUser
 from django.http import Http404
 from django.test import TestCase, RequestFactory
 from nose.plugins.attrib import attr
+from rest_framework.generics import GenericAPIView

 from student.roles import CourseStaffRole, CourseInstructorRole
 from openedx.core.lib.api.permissions import (
@@ -159,6 +160,15 @@ class IsStaffOrOwnerTests(TestCase):
        request.user = user
        self.assertTrue(self.permission.has_permission(request, None))

+    def test_has_permission_with_view_kwargs_as_owner_with_get(self):
+        """ Owners always have permission to make GET actions. """
+        user = UserFactory.create()
+        request = RequestFactory().get('/')
+        request.user = user
+        view = GenericAPIView()
+        view.kwargs = {'username': user.username}
+        self.assertTrue(self.permission.has_permission(request, view))
+
    @ddt.data('patch', 'post', 'put')
    def test_has_permission_as_owner_with_edit(self, action):
        """ Owners always have permission to edit. """
@@ -176,3 +186,12 @@ class IsStaffOrOwnerTests(TestCase):
        request = RequestFactory().get('/?username={}'.format(user.username))
        request.user = UserFactory.create()
        self.assertFalse(self.permission.has_permission(request, None))
+
+    def test_has_permission_with_view_kwargs_as_non_owner(self):
+        """ Non-owners should not have permission. """
+        user = UserFactory.create()
+        request = RequestFactory().get('/')
+        request.user = user
+        view = GenericAPIView()
+        view.kwargs = {'username': UserFactory.create().username}
+        self.assertFalse(self.permission.has_permission(request, view))