fix: add is_staff permission on endpoint (#27947)

2021-06-15 00:15:34 +05:00
parent fd937661e0
commit 7d0bf2b3e7
2 changed files with 21 additions and 3 deletions
--- a/openedx/core/djangoapps/user_api/accounts/tests/test_views.py
+++ b/openedx/core/djangoapps/user_api/accounts/tests/test_views.py
@@ -377,19 +377,28 @@ class TestAccountsAPI(CacheIsolationTestCase, UserAPITestCase):
        self._verify_full_account_response(response)

    def test_search_emails(self):
-        client = self.login_client('client', 'user')
+        client = self.login_client('staff_client', 'staff_user')
        json_data = {'emails': [self.user.email]}
        response = self.post_search_api(client, json_data=json_data)
        assert response.data == [{'email': self.user.email, 'id': self.user.id, 'username': self.user.username}]

-    def test_search_emails_with_non_existing_email(self):
+    def test_search_emails_with_non_staff_user(self):
        client = self.login_client('client', 'user')
+        json_data = {'emails': [self.user.email]}
+        response = self.post_search_api(client, json_data=json_data, expected_status=404)
+        assert response.data == {
+            'developer_message': "not_found",
+            'user_message': "Not Found"
+        }
+
+    def test_search_emails_with_non_existing_email(self):
+        client = self.login_client('staff_client', 'staff_user')
        json_data = {"emails": ['non_existant_email@example.com']}
        response = self.post_search_api(client, json_data=json_data)
        assert response.data == []

    def test_search_emails_with_invalid_param(self):
-        client = self.login_client('client', 'user')
+        client = self.login_client('staff_client', 'staff_user')
        json_data = {'invalid_key': [self.user.email]}
        response = self.post_search_api(client, json_data=json_data, expected_status=400)
        assert response.data == {
--- a/openedx/core/djangoapps/user_api/accounts/views.py
+++ b/openedx/core/djangoapps/user_api/accounts/views.py
@@ -344,6 +344,15 @@ class AccountViewSet(ViewSet):
            }
        ]
        """
+        if not request.user.is_staff:
+            return Response(
+                {
+                    'developer_message': 'not_found',
+                    'user_message': 'Not Found'
+                },
+                status=status.HTTP_404_NOT_FOUND
+            )
+
        try:
            user_emails = request.data['emails']
        except KeyError as error: