Updates to the API Endpoint to remove the Staff users ability to get all

Entitlements

common/djangoapps/entitlements/api/v1/tests/test_views.py

@@ -120,8 +120,9 @@ class EntitlementViewSetTest(ModuleStoreTestCase):
         results = response.data.get('results', [])  # pylint: disable=no-member
         assert results == CourseEntitlementSerializer([entitlement], many=True).data
 
-    def test_staff_get_all_entitlements(self):
-        entitlements = CourseEntitlementFactory.create_batch(2)
+    def test_staff_not_get_all_entitlements(self):
+        CourseEntitlementFactory.create_batch(2)
+        entitlement = CourseEntitlementFactory.create(user=self.user)
 
         response = self.client.get(
             self.entitlements_list_url,
@@ -130,7 +131,7 @@ class EntitlementViewSetTest(ModuleStoreTestCase):
         assert response.status_code == 200
 
         results = response.data.get('results', [])
-        assert results == CourseEntitlementSerializer(entitlements, many=True).data
+        assert results == CourseEntitlementSerializer([entitlement], many=True).data
 
     def test_get_user_entitlements(self):
         user2 = UserFactory()

common/djangoapps/entitlements/api/v1/views.py

@@ -26,9 +26,20 @@ class EntitlementViewSet(viewsets.ModelViewSet):
 
     def get_queryset(self):
         user = self.request.user
-        if user.is_staff:
-            return CourseEntitlement.objects.all().select_related('user')
-        return CourseEntitlement.objects.filter(user=user).select_related('user')
+
+        if self.request.method in permissions.SAFE_METHODS:
+            if (user.is_staff and
+                    (self.request.query_params.get('user', None) is not None or
+                     self.kwargs.get('uuid', None) is not None)):
+                # Return the full query set so that the Filters class can be used to apply,
+                # - The UUID Filter
+                # - The User Filter to the GET request
+                return CourseEntitlement.objects.all().select_related('user')
+            # Non Staff Users will only be able to retrieve their own entitlements
+            return CourseEntitlement.objects.filter(user=user).select_related('user')
+        # All other methods require the full Query set and the Permissions class already restricts access to them
+        # to Admin users
+        return CourseEntitlement.objects.all().select_related('user')
 
     def perform_destroy(self, instance):
         """