Disable auth for login and registration end-points

fb5a8098 · Will Daly · d8eafc47 · fb5a8098 · fb5a8098
Commit fb5a8098 authored Oct 23, 2014 by Will Daly
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 0 deletions

common/djangoapps/user_api/tests/test_views.py
+16 -0

common/djangoapps/user_api/views.py
+8 -0

No files found.
--- a/common/djangoapps/user_api/tests/test_views.py
+++ b/common/djangoapps/user_api/tests/test_views.py
@@ -111,6 +111,14 @@ class ApiTestCase(TestCase):
        """Assert that the given response has the status code 405"""
        self.assertEqual(response.status_code, 405)

+    def assertAuthDisabled(self, method, uri):
+        # Django rest framework interprets basic auth headers
+        # as an attempt to authenticate with the API.
+        # We don't want this for views available to anonymous users.
+        basic_auth_header = "Basic " + base64.b64encode('username:password')
+        response = getattr(self.client, method)(uri, HTTP_AUTHORIZATION=basic_auth_header)
+        self.assertNotEqual(response.status_code, 403)
+

 class EmptyUserTestCase(ApiTestCase):
    def test_get_list_empty(self):
@@ -561,6 +569,10 @@ class LoginSessionViewTest(ApiTestCase):
        super(LoginSessionViewTest, self).setUp()
        self.url = reverse("user_api_login_session")

+    @ddt.data("get", "post")
+    def test_auth_disabled(self, method):
+        self.assertAuthDisabled(method, self.url)
+
    def test_allowed_methods(self):
        self.assertAllowedMethods(self.url, ["GET", "POST", "HEAD", "OPTIONS"])

@@ -725,6 +737,10 @@ class RegistrationViewTest(ApiTestCase):
        super(RegistrationViewTest, self).setUp()
        self.url = reverse("user_api_registration")

+    @ddt.data("get", "post")
+    def test_auth_disabled(self, method):
+        self.assertAuthDisabled(method, self.url)
+
    def test_allowed_methods(self):
        self.assertAllowedMethods(self.url, ["GET", "POST", "HEAD", "OPTIONS"])


--- a/common/djangoapps/user_api/views.py
+++ b/common/djangoapps/user_api/views.py
@@ -50,6 +50,10 @@ class ApiKeyHeaderPermission(permissions.BasePermission):
 class LoginSessionView(APIView):
    """HTTP end-points for logging in users. """

+    # This end-point is available to anonymous users,
+    # so do not require authentication.
+    authentication_classes = []
+
    def get(self, request):
        """Return a description of the login form.

@@ -143,6 +147,10 @@ class RegistrationView(APIView):
        "honor_code", "terms_of_service",
    ]

+    # This end-point is available to anonymous users,
+    # so do not require authentication.
+    authentication_classes = []
+
    def _is_field_visible(self, field_name):
        """Check whether a field is visible based on Django settings. """
        return self._extra_fields_setting.get(field_name) in ["required", "optional"]