Skip to content

E
edx-platform
Commit c9088071 by Clinton Blackburn
Options

Corrected permission class and test 

- The permission now checks the correct request attribute (GET instead of data).
- The Credit API view test has been updated to check for the positive access instead of just denial.

 ECOM-3096
parent d370b0aa
Showing with 13 additions and 2 deletions
openedx/core/djangoapps/credit/tests/test_views.py
......@@ -660,7 +660,18 @@ class CreditEligibilityViewTests(AuthMixin, UserMixin, ReadOnlyMixin, TestCase):
def test_nonstaff_can_only_view_own_data(self):
""" Verify that non-staff users can only view their own eligibility data. """
user = UserFactory(password=self.password)
eligibility = CreditEligibilityFactory(username=user.username)
url = self.create_url(eligibility)
# Verify user can view own data
self.client.logout()
self.client.login(username=user.username, password=self.password)
response = self.client.get(self.path)
response = self.client.get(url)
self.assertEqual(response.status_code, 200)
# User should not be able to view data for other users.
alt_user = UserFactory(password=self.password)
alt_eligibility = CreditEligibilityFactory(username=alt_user.username)
url = self.create_url(alt_eligibility)
response = self.client.get(url)
self.assertEqual(response.status_code, 403)
openedx/core/lib/api/permissions.py
......@@ -92,4 +92,4 @@ class IsStaffOrOwner(permissions.BasePermission):
def has_permission(self, request, view):
user = request.user
return user.is_staff or (user.username == request.data.get('username'))
return user.is_staff or (user.username == request.GET.get('username'))
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment