Deny anonymous reading.

35cac655 · Dave St.Germain · d2ee2430 · 35cac655 · 35cac655
Commit 35cac655 authored Aug 27, 2014 by Dave St.Germain
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 8 deletions

edxval/tests/test_views.py
+5 -3

edxval/views.py
+5 -5

No files found.
--- a/edxval/tests/test_views.py
+++ b/edxval/tests/test_views.py
@@ -24,7 +24,7 @@ class VideoDetail(APIAuthTestCase):

    # Tests for successful PUT requests.

-    def test_anonymous_readonly(self):
+    def test_anonymous_denied(self):
        """
        Tests that writing checks model permissions.
        """
@@ -32,6 +32,8 @@ class VideoDetail(APIAuthTestCase):
        url = reverse('video-list')
        response = self.client.post(url, constants.VIDEO_DICT_ANIMAL, format='json')
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

    def test_no_perms(self):
        """
@@ -42,6 +44,8 @@ class VideoDetail(APIAuthTestCase):
        url = reverse('video-list')
        response = self.client.post(url, constants.VIDEO_DICT_ANIMAL, format='json')
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

    def test_update_video(self):
        """
@@ -330,8 +334,6 @@ class VideoListTest(APIAuthTestCase):
        response = self.client.post(
            url, constants.COMPLETE_SET_FISH, format='json'
        )
-        # we can log out here, to test read-only
-        self._logout()
        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
        video = self.client.get("/edxval/video/").data
        self.assertEqual(len(video), 1)

--- a/edxval/views.py
+++ b/edxval/views.py
@@ -3,7 +3,7 @@ Views file for django app edxval.
 """

 from rest_framework import generics
-from rest_framework.permissions import DjangoModelPermissionsOrAnonReadOnly
+from rest_framework.permissions import DjangoModelPermissions
 from django.http import HttpResponse
 from django.shortcuts import get_object_or_404
 from django.views.decorators.http import last_modified
@@ -33,7 +33,7 @@ class VideoList(generics.ListCreateAPIView):
    """
    GETs or POST video objects
    """
-    permission_classes = (DjangoModelPermissionsOrAnonReadOnly,)
+    permission_classes = (DjangoModelPermissions,)
    queryset = Video.objects.all().prefetch_related("encoded_videos")
    lookup_field = "edx_video_id"
    serializer_class = VideoSerializer
@@ -43,7 +43,7 @@ class ProfileList(generics.ListCreateAPIView):
    """
    GETs or POST video objects
    """
-    permission_classes = (DjangoModelPermissionsOrAnonReadOnly,)
+    permission_classes = (DjangoModelPermissions,)
    queryset = Profile.objects.all()
    lookup_field = "profile_name"
    serializer_class = ProfileSerializer
@@ -53,7 +53,7 @@ class VideoDetail(generics.RetrieveUpdateDestroyAPIView):
    """
    Gets a video instance given its edx_video_id
    """
-    permission_classes = (DjangoModelPermissionsOrAnonReadOnly,)
+    permission_classes = (DjangoModelPermissions,)
    lookup_field = "edx_video_id"
    queryset = Video.objects.all()
    serializer_class = VideoSerializer
@@ -63,7 +63,7 @@ class SubtitleDetail(MultipleFieldLookupMixin, generics.RetrieveUpdateDestroyAPI
    """
    Gets a subtitle instance given its id
    """
-    permission_classes = (DjangoModelPermissionsOrAnonReadOnly,)
+    permission_classes = (DjangoModelPermissions,)
    lookup_fields = ("video__edx_video_id", "language")
    queryset = Subtitle.objects.all()
    serializer_class = SubtitleSerializer