Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #20060 from edx/douglashall/ARCH-586

Browse Source 
ARCH-586 Always send 404 response on requests for non-existent user accounts.
This commit is contained in:
Douglas Hall
2019-03-27 12:42:24 -04:00
committed by GitHub
parent d71d1dd454 7fdc4a9f73
commit 555bba1d3c
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
openedx/core/djangoapps/user_api/accounts/tests/test_views.py
View File

@@ -323,7 +323,7 @@ class TestAccountsAPI(CacheIsolationTestCase, UserAPITestCase):
"""
client = self.login_client(api_client, user)
response = client.get(reverse("accounts_api", kwargs={'username': "does_not_exist"}))
self.assertEqual(403 if user == "staff_user" else 404, response.status_code)
self.assertEqual(404, response.status_code)
# Note: using getattr so that the patching works even if there is no configuration.
# This is needed when testing CMS as the patching is still executed even though the

4
openedx/core/djangoapps/user_api/accounts/views.py
View File

@@ -287,7 +287,7 @@ class AccountViewSet(ViewSet):
account_settings = get_account_settings(
request, usernames, view=request.query_params.get('view'))
except UserNotFound:
return Response(status=status.HTTP_403_FORBIDDEN if request.user.is_staff else status.HTTP_404_NOT_FOUND)
return Response(status=status.HTTP_404_NOT_FOUND)
return Response(account_settings)
@@ -299,7 +299,7 @@ class AccountViewSet(ViewSet):
account_settings = get_account_settings(
request, [username], view=request.query_params.get('view'))
except UserNotFound:
return Response(status=status.HTTP_403_FORBIDDEN if request.user.is_staff else status.HTTP_404_NOT_FOUND)
return Response(status=status.HTTP_404_NOT_FOUND)
return Response(account_settings[0])