Skip to content

E
edx-platform
Commit fb5a8098 by Will Daly
Options

Disable auth for login and registration end-points

parent d8eafc47
Showing with 24 additions and 0 deletions
common/djangoapps/user_api/tests/test_views.py
...@@ -111,6 +111,14 @@ class ApiTestCase(TestCase): ...@@ -111,6 +111,14 @@ class ApiTestCase(TestCase):
"""Assert that the given response has the status code 405""" """Assert that the given response has the status code 405"""
self.assertEqual(response.status_code, 405) self.assertEqual(response.status_code, 405)
def assertAuthDisabled(self, method, uri):
# Django rest framework interprets basic auth headers
# as an attempt to authenticate with the API.
# We don't want this for views available to anonymous users.
basic_auth_header = "Basic " + base64.b64encode('username:password')
response = getattr(self.client, method)(uri, HTTP_AUTHORIZATION=basic_auth_header)
self.assertNotEqual(response.status_code, 403)
class EmptyUserTestCase(ApiTestCase): class EmptyUserTestCase(ApiTestCase):
def test_get_list_empty(self): def test_get_list_empty(self):
...@@ -561,6 +569,10 @@ class LoginSessionViewTest(ApiTestCase): ...@@ -561,6 +569,10 @@ class LoginSessionViewTest(ApiTestCase):
super(LoginSessionViewTest, self).setUp() super(LoginSessionViewTest, self).setUp()
self.url = reverse("user_api_login_session") self.url = reverse("user_api_login_session")
@ddt.data("get", "post")
def test_auth_disabled(self, method):
self.assertAuthDisabled(method, self.url)
def test_allowed_methods(self): def test_allowed_methods(self):
self.assertAllowedMethods(self.url, ["GET", "POST", "HEAD", "OPTIONS"]) self.assertAllowedMethods(self.url, ["GET", "POST", "HEAD", "OPTIONS"])
...@@ -725,6 +737,10 @@ class RegistrationViewTest(ApiTestCase): ...@@ -725,6 +737,10 @@ class RegistrationViewTest(ApiTestCase):
super(RegistrationViewTest, self).setUp() super(RegistrationViewTest, self).setUp()
self.url = reverse("user_api_registration") self.url = reverse("user_api_registration")
@ddt.data("get", "post")
def test_auth_disabled(self, method):
self.assertAuthDisabled(method, self.url)
def test_allowed_methods(self): def test_allowed_methods(self):
self.assertAllowedMethods(self.url, ["GET", "POST", "HEAD", "OPTIONS"]) self.assertAllowedMethods(self.url, ["GET", "POST", "HEAD", "OPTIONS"])
......
common/djangoapps/user_api/views.py
...@@ -50,6 +50,10 @@ class ApiKeyHeaderPermission(permissions.BasePermission): ...@@ -50,6 +50,10 @@ class ApiKeyHeaderPermission(permissions.BasePermission):
class LoginSessionView(APIView): class LoginSessionView(APIView):
"""HTTP end-points for logging in users. """ """HTTP end-points for logging in users. """
# This end-point is available to anonymous users,
# so do not require authentication.
authentication_classes = []
def get(self, request): def get(self, request):
"""Return a description of the login form. """Return a description of the login form.
...@@ -143,6 +147,10 @@ class RegistrationView(APIView): ...@@ -143,6 +147,10 @@ class RegistrationView(APIView):
"honor_code", "terms_of_service", "honor_code", "terms_of_service",
] ]
# This end-point is available to anonymous users,
# so do not require authentication.
authentication_classes = []
def _is_field_visible(self, field_name): def _is_field_visible(self, field_name):
"""Check whether a field is visible based on Django settings. """ """Check whether a field is visible based on Django settings. """
return self._extra_fields_setting.get(field_name) in ["required", "optional"] return self._extra_fields_setting.get(field_name) in ["required", "optional"]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment