Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removed IsAuthenticatedOrDebug

Browse Source 
IsAuthenticatedOrDebug hides potential issues with API client code that is run in local environments and later deployed to production where authentication fails.

XCOM-193
This commit is contained in:
Clinton Blackburn
2015-06-10 18:55:27 -04:00
parent a7e49c2113
commit 2da42d5efa
4 changed files with 6 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
openedx/core/lib/api/permissions.py
View File

@@ -35,19 +35,6 @@ class ApiKeyHeaderPermissionIsAuthenticated(ApiKeyHeaderPermission, permissions.
return api_permissions or is_authenticated_permissions
class IsAuthenticatedOrDebug(permissions.BasePermission):
"""
Allows access only to authenticated users, or anyone if debug mode is enabled.
"""
def has_permission(self, request, view):
if settings.DEBUG:
return True
user = getattr(request, 'user', None)
return user and user.is_authenticated()
class IsUserInUrl(permissions.BasePermission):
"""
Permission that checks to see if the request user matches the user in the URL.

5
openedx/core/lib/api/view_utils.py
View File

@@ -8,6 +8,7 @@ from django.utils.translation import ugettext as _
from rest_framework import status, response
from rest_framework.exceptions import APIException
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response
from rest_framework.mixins import RetrieveModelMixin, UpdateModelMixin
from rest_framework.generics import GenericAPIView
@@ -20,7 +21,7 @@ from openedx.core.lib.api.authentication import (
SessionAuthenticationAllowInactiveUser,
OAuth2AuthenticationAllowInactiveUser,
)
from openedx.core.lib.api.permissions import IsUserInUrl, IsAuthenticatedOrDebug
from openedx.core.lib.api.permissions import IsUserInUrl
from util.milestones_helpers import any_unfulfilled_milestones
@@ -131,7 +132,7 @@ def view_auth_classes(is_user=False):
OAuth2AuthenticationAllowInactiveUser,
SessionAuthenticationAllowInactiveUser
)
func_or_class.permission_classes = (IsAuthenticatedOrDebug,)
func_or_class.permission_classes = (IsAuthenticated,)
if is_user:
func_or_class.permission_classes += (IsUserInUrl,)
return func_or_class