From 7d0bf2b3e7142375fd1279d3a887c73998841e97 Mon Sep 17 00:00:00 2001
From: Muhammad Ammar <mammar@gmail.com>
Date: Tue, 15 Jun 2021 00:15:34 +0500
Subject: [PATCH] fix: add is_staff permission on endpoint (#27947)

---
 .../user_api/accounts/tests/test_views.py         | 15 ++++++++++++---
 .../core/djangoapps/user_api/accounts/views.py    |  9 +++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/openedx/core/djangoapps/user_api/accounts/tests/test_views.py b/openedx/core/djangoapps/user_api/accounts/tests/test_views.py
index 6dd4235d25..6d9b4c4737 100644
--- a/openedx/core/djangoapps/user_api/accounts/tests/test_views.py
+++ b/openedx/core/djangoapps/user_api/accounts/tests/test_views.py
@@ -377,19 +377,28 @@ class TestAccountsAPI(CacheIsolationTestCase, UserAPITestCase):
         self._verify_full_account_response(response)
 
     def test_search_emails(self):
-        client = self.login_client('client', 'user')
+        client = self.login_client('staff_client', 'staff_user')
         json_data = {'emails': [self.user.email]}
         response = self.post_search_api(client, json_data=json_data)
         assert response.data == [{'email': self.user.email, 'id': self.user.id, 'username': self.user.username}]
 
-    def test_search_emails_with_non_existing_email(self):
+    def test_search_emails_with_non_staff_user(self):
         client = self.login_client('client', 'user')
+        json_data = {'emails': [self.user.email]}
+        response = self.post_search_api(client, json_data=json_data, expected_status=404)
+        assert response.data == {
+            'developer_message': "not_found",
+            'user_message': "Not Found"
+        }
+
+    def test_search_emails_with_non_existing_email(self):
+        client = self.login_client('staff_client', 'staff_user')
         json_data = {"emails": ['non_existant_email@example.com']}
         response = self.post_search_api(client, json_data=json_data)
         assert response.data == []
 
     def test_search_emails_with_invalid_param(self):
-        client = self.login_client('client', 'user')
+        client = self.login_client('staff_client', 'staff_user')
         json_data = {'invalid_key': [self.user.email]}
         response = self.post_search_api(client, json_data=json_data, expected_status=400)
         assert response.data == {
diff --git a/openedx/core/djangoapps/user_api/accounts/views.py b/openedx/core/djangoapps/user_api/accounts/views.py
index 3384c2a0b3..0befff9b3c 100644
--- a/openedx/core/djangoapps/user_api/accounts/views.py
+++ b/openedx/core/djangoapps/user_api/accounts/views.py
@@ -344,6 +344,15 @@ class AccountViewSet(ViewSet):
             }
         ]
         """
+        if not request.user.is_staff:
+            return Response(
+                {
+                    'developer_message': 'not_found',
+                    'user_message': 'Not Found'
+                },
+                status=status.HTTP_404_NOT_FOUND
+            )
+
         try:
             user_emails = request.data['emails']
         except KeyError as error: