Merge pull request #501 from edx/gprice/user-api-tweaks

User API Tweaks

lms/djangoapps/user_api/tests/test_views.py

@@ -122,6 +122,11 @@ class UserViewSetTest(UserApiTestCase):
     def test_list_unauthorized(self):
         self.assertHttpForbidden(self.client.get(self.LIST_URI))
 
+    @override_settings(DEBUG=True)
+    @override_settings(EDX_API_KEY=None)
+    def test_debug_auth(self):
+        self.assertHttpOK(self.client.get(self.LIST_URI))
+
     def test_get_list_empty(self):
         User.objects.all().delete()
         result = self.get_json(self.LIST_URI)
@@ -220,6 +225,11 @@ class UserPreferenceViewSetTest(UserApiTestCase):
     def test_list_unauthorized(self):
         self.assertHttpForbidden(self.client.get(self.LIST_URI))
 
+    @override_settings(DEBUG=True)
+    @override_settings(EDX_API_KEY=None)
+    def test_debug_auth(self):
+        self.assertHttpOK(self.client.get(self.LIST_URI))
+
     def test_get_list_empty(self):
         UserPreference.objects.all().delete()
         result = self.get_json(self.LIST_URI)
@@ -252,6 +262,26 @@ class UserPreferenceViewSetTest(UserApiTestCase):
             self.assertPrefIsValid(pref)
             self.assertEqual(pref["key"], "key0")
 
+    def test_get_list_filter_user_empty(self):
+        def test_id(user_id):
+            result = self.get_json(self.LIST_URI, data={"user": user_id})
+            self.assertEqual(result["count"], 0)
+            self.assertEqual(result["results"], [])
+        test_id(self.users[2].id)
+        # TODO: If the given id does not match a user, then the filter is a no-op
+        # test_id(42)
+        # test_id("asdf")
+
+    def test_get_list_filter_user_nonempty(self):
+        user_id = self.users[0].id
+        result = self.get_json(self.LIST_URI, data={"user": user_id})
+        self.assertEqual(result["count"], 2)
+        prefs = result["results"]
+        self.assertEqual(len(prefs), 2)
+        for pref in prefs:
+            self.assertPrefIsValid(pref)
+            self.assertEqual(pref["user"]["id"], user_id)
+
     def test_get_list_pagination(self):
         first_page = self.get_json(self.LIST_URI, data={"page_size": 2})
         self.assertEqual(first_page["count"], 3)

lms/djangoapps/user_api/views.py

@@ -12,11 +12,16 @@ class ApiKeyHeaderPermission(permissions.BasePermission):
         """
         Check for permissions by matching the configured API key and header
 
-        settings.EDX_API_KEY must be set, and the X-Edx-Api-Key HTTP header must
-        be present in the request and match the setting.
+        If settings.DEBUG is True and settings.EDX_API_KEY is not set or None,
+        then allow the request. Otherwise, allow the request if and only if
+        settings.EDX_API_KEY is set and the X-Edx-Api-Key HTTP header is
+        present in the request and matches the setting.
         """
         api_key = getattr(settings, "EDX_API_KEY", None)
-        return api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key
+        return (
+            (settings.DEBUG and api_key is None) or
+            (api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key)
+        )
 
 
 class UserViewSet(viewsets.ReadOnlyModelViewSet):
@@ -31,7 +36,7 @@ class UserPreferenceViewSet(viewsets.ReadOnlyModelViewSet):
     permission_classes = (ApiKeyHeaderPermission,)
     queryset = UserPreference.objects.all()
     filter_backends = (filters.DjangoFilterBackend,)
-    filter_fields = ("key",)
+    filter_fields = ("key", "user")
     serializer_class = UserPreferenceSerializer
     paginate_by = 10
     paginate_by_param = "page_size"

lms/envs/dev.py

@@ -257,7 +257,7 @@ if SEGMENT_IO_LMS_KEY:
 
 
 ########################## USER API ########################
-EDX_API_KEY = ''
+EDX_API_KEY = None
 
 #####################################################################
 # Lastly, see if the developer has any local overrides.