From e5ba2a58017c57042449949ca80d0d036a642c19 Mon Sep 17 00:00:00 2001
From: Clinton Blackburn <cblackburn@edx.org>
Date: Mon, 27 Jul 2015 11:23:20 -0400
Subject: [PATCH] White-listed course detail API calls

XCOM-518
---
 common/djangoapps/embargo/middleware.py            |  4 ++++
 common/djangoapps/embargo/tests/test_middleware.py | 31 +++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/common/djangoapps/embargo/middleware.py b/common/djangoapps/embargo/middleware.py
index 8f56037..a8a285a 100644
--- a/common/djangoapps/embargo/middleware.py
+++ b/common/djangoapps/embargo/middleware.py
@@ -54,6 +54,10 @@ class EmbargoMiddleware(object):
         # accidentally lock ourselves out of Django admin
         # during testing.
         re.compile(r'^/admin/'),
+
+        # Do not block access to course metadata. This information is needed for
+        # sever-to-server calls.
+        re.compile(r'^/api/course_structure/v[\d+]/courses/{}/$'.format(settings.COURSE_ID_PATTERN)),
     ]
 
     def __init__(self):
diff --git a/common/djangoapps/embargo/tests/test_middleware.py b/common/djangoapps/embargo/tests/test_middleware.py
index b3c16fa..ccdc95d 100644
--- a/common/djangoapps/embargo/tests/test_middleware.py
+++ b/common/djangoapps/embargo/tests/test_middleware.py
@@ -170,3 +170,34 @@ class EmbargoMiddlewareAccessTests(UrlResetMixin, ModuleStoreTestCase):
         # even though we would have been blocked by country
         # access rules.
         self.assertEqual(response.status_code, 200)
+
+    @patch.dict(settings.FEATURES, {'EMBARGO': True})
+    def test_always_allow_course_detail_access(self):
+        """ Access to the Course Structure API's course detail endpoint should always be granted. """
+        # Make the user staff so that it has permissions to access the views.
+        self.user.is_staff = True
+        self.user.save()  # pylint: disable=no-member
+
+        # Blacklist an IP address
+        ip_address = "192.168.10.20"
+        IPFilter.objects.create(
+            blacklist=ip_address,
+            enabled=True
+        )
+
+        url = reverse('course_structure_api:v0:detail', kwargs={'course_id': unicode(self.course.id)})
+        response = self.client.get(
+            url,
+            HTTP_X_FORWARDED_FOR=ip_address,
+            REMOTE_ADDR=ip_address
+        )
+        self.assertEqual(response.status_code, 200)
+
+        # Test with a fully-restricted course
+        with restrict_course(self.course.id):
+            response = self.client.get(
+                url,
+                HTTP_X_FORWARDED_FOR=ip_address,
+                REMOTE_ADDR=ip_address
+            )
+            self.assertEqual(response.status_code, 200)
--
libgit2 0.26.0