Merge pull request #17869 from edx/waheed/LEARNER-1220-fix-enabling-debug-allows-api-access-without-authentication

Fix enabling debug allows api access without authentication.
2018-04-04 16:50:04 +05:00
parent 1a76384959 20e7a15ac6
commit 80efe99df4
2 changed files with 8 additions and 12 deletions
--- a/openedx/core/djangoapps/user_api/tests/test_views.py
+++ b/openedx/core/djangoapps/user_api/tests/test_views.py
@@ -171,7 +171,7 @@ class RoleTestCase(UserApiTestCase):
    @override_settings(DEBUG=True)
    @override_settings(EDX_API_KEY=None)
    def test_debug_auth(self):
-        self.assertHttpOK(self.client.get(self.LIST_URI))
+        self.assertHttpForbidden(self.client.get(self.LIST_URI))

    @override_settings(DEBUG=False)
    @override_settings(EDX_API_KEY=TEST_API_KEY)
@@ -256,7 +256,7 @@ class UserViewSetTest(UserApiTestCase):
    @override_settings(DEBUG=True)
    @override_settings(EDX_API_KEY=None)
    def test_debug_auth(self):
-        self.assertHttpOK(self.client.get(self.LIST_URI))
+        self.assertHttpForbidden(self.client.get(self.LIST_URI))

    @override_settings(DEBUG=False)
    @override_settings(EDX_API_KEY=TEST_API_KEY)
@@ -372,7 +372,7 @@ class UserPreferenceViewSetTest(CacheIsolationTestCase, UserApiTestCase):
    @override_settings(DEBUG=True)
    @override_settings(EDX_API_KEY=None)
    def test_debug_auth(self):
-        self.assertHttpOK(self.client.get(self.LIST_URI))
+        self.assertHttpForbidden(self.client.get(self.LIST_URI))

    def test_get_list_nonempty(self):
        result = self.get_json(self.LIST_URI)
@@ -509,7 +509,7 @@ class PreferenceUsersListViewTest(UserApiTestCase):
    @override_settings(DEBUG=True)
    @override_settings(EDX_API_KEY=None)
    def test_debug_auth(self):
-        self.assertHttpOK(self.client.get(self.LIST_URI))
+        self.assertHttpForbidden(self.client.get(self.LIST_URI))

    def test_get_basic(self):
        result = self.get_json(self.LIST_URI)
--- a/openedx/core/lib/api/permissions.py
+++ b/openedx/core/lib/api/permissions.py
@@ -21,17 +21,13 @@ class ApiKeyHeaderPermission(permissions.BasePermission):
        """
        Check for permissions by matching the configured API key and header

-        If settings.DEBUG is True and settings.EDX_API_KEY is not set or None,
-        then allow the request. Otherwise, allow the request if and only if
-        settings.EDX_API_KEY is set and the X-Edx-Api-Key HTTP header is
-        present in the request and matches the setting.
+        Allow the request if and only if settings.EDX_API_KEY is set and
+        the X-Edx-Api-Key HTTP header is present in the request and
+        matches the setting.
        """
        api_key = getattr(settings, "EDX_API_KEY", None)

-        if settings.DEBUG and api_key is None:
-            return True
-
-        elif api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key:
+        if api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key:
            audit_log("ApiKeyHeaderPermission used",
                      path=request.path,
                      ip=request.META.get("REMOTE_ADDR"))