From 79ca56c3db7c529e2bc6baf94aadd66a51e19364 Mon Sep 17 00:00:00 2001 From: stephensanchez Date: Wed, 3 Dec 2014 22:47:40 +0000 Subject: [PATCH] Allowing email optin to work on register. --- .../djangoapps/user_api/tests/test_views.py | 15 ++++++ common/djangoapps/user_api/views.py | 48 ++++++++++++++++++- 2 files changed, 62 insertions(+), 1 deletion(-) diff --git a/common/djangoapps/user_api/tests/test_views.py b/common/djangoapps/user_api/tests/test_views.py index 76f839fb48..17069f2171 100644 --- a/common/djangoapps/user_api/tests/test_views.py +++ b/common/djangoapps/user_api/tests/test_views.py @@ -1526,3 +1526,18 @@ class UpdateEmailOptInTestCase(ApiTestCase): response = self.client.post(self.url, params) self.assertHttpBadRequest(response) + + def test_update_email_opt_in_inactive_user(self): + """Test that an inactive user can still update email.""" + self.user.is_active = False + self.user.save() + # Register, which should trigger an activation email + response = self.client.post(self.url, { + "course_id": unicode(self.course.id), + "email_opt_in": u"True" + }) + self.assertHttpOK(response) + preference = UserOrgTag.objects.get( + user=self.user, org=self.course.id.org, key="email-optin" + ) + self.assertEquals(preference.value, u"True") diff --git a/common/djangoapps/user_api/views.py b/common/djangoapps/user_api/views.py index 39ce384eed..73b066efea 100644 --- a/common/djangoapps/user_api/views.py +++ b/common/djangoapps/user_api/views.py @@ -47,6 +47,52 @@ class ApiKeyHeaderPermission(permissions.BasePermission): ) +class SessionAuthenticationAllowInactiveUser(authentication.SessionAuthentication): + """Ensure that the user is logged in, but do not require the account to be active. + + We use this in the special case that a user has created an account, + but has not yet activated it. We still want to allow the user to + enroll in courses, so we remove the usual restriction + on session authentication that requires an active account. + + You should use this authentication class ONLY for end-points that + it's safe for an un-activated user to access. For example, + we can allow a user to update his/her own enrollments without + activating an account. + + """ + def authenticate(self, request): + """Authenticate the user, requiring a logged-in account and CSRF. + + This is exactly the same as the `SessionAuthentication` implementation, + with the `user.is_active` check removed. + + Args: + request (HttpRequest) + + Returns: + Tuple of `(user, token)` + + Raises: + PermissionDenied: The CSRF token check failed. + + """ + # Get the underlying HttpRequest object + request = request._request # pylint: disable=protected-access + user = getattr(request, 'user', None) + + # Unauthenticated, CSRF validation not required + # This is where regular `SessionAuthentication` checks that the user is active. + # We have removed that check in this implementation. + if not user: + return None + + self.enforce_csrf(request) + + # CSRF passed with authenticated user + return (user, None) + + class LoginSessionView(APIView): """HTTP end-points for logging in users. """ @@ -842,7 +888,7 @@ class PreferenceUsersListView(generics.ListAPIView): class UpdateEmailOptInPreference(APIView): """View for updating the email opt in preference. """ - authentication_classes = (authentication.SessionAuthentication,) + authentication_classes = (SessionAuthenticationAllowInactiveUser,) @method_decorator(require_post_params(["course_id", "email_opt_in"])) @method_decorator(ensure_csrf_cookie)