From 20e7a15ac696f828cb33cf6b40975a5a1aae8c72 Mon Sep 17 00:00:00 2001 From: Waheed Ahmed Date: Wed, 4 Apr 2018 12:18:10 +0500 Subject: [PATCH] Fix enabling debug allows api access without authentication. LEARNER-1220 --- openedx/core/djangoapps/user_api/tests/test_views.py | 8 ++++---- openedx/core/lib/api/permissions.py | 12 ++++-------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/openedx/core/djangoapps/user_api/tests/test_views.py b/openedx/core/djangoapps/user_api/tests/test_views.py index 4535f117de..74170807b0 100644 --- a/openedx/core/djangoapps/user_api/tests/test_views.py +++ b/openedx/core/djangoapps/user_api/tests/test_views.py @@ -171,7 +171,7 @@ class RoleTestCase(UserApiTestCase): @override_settings(DEBUG=True) @override_settings(EDX_API_KEY=None) def test_debug_auth(self): - self.assertHttpOK(self.client.get(self.LIST_URI)) + self.assertHttpForbidden(self.client.get(self.LIST_URI)) @override_settings(DEBUG=False) @override_settings(EDX_API_KEY=TEST_API_KEY) @@ -256,7 +256,7 @@ class UserViewSetTest(UserApiTestCase): @override_settings(DEBUG=True) @override_settings(EDX_API_KEY=None) def test_debug_auth(self): - self.assertHttpOK(self.client.get(self.LIST_URI)) + self.assertHttpForbidden(self.client.get(self.LIST_URI)) @override_settings(DEBUG=False) @override_settings(EDX_API_KEY=TEST_API_KEY) @@ -372,7 +372,7 @@ class UserPreferenceViewSetTest(CacheIsolationTestCase, UserApiTestCase): @override_settings(DEBUG=True) @override_settings(EDX_API_KEY=None) def test_debug_auth(self): - self.assertHttpOK(self.client.get(self.LIST_URI)) + self.assertHttpForbidden(self.client.get(self.LIST_URI)) def test_get_list_nonempty(self): result = self.get_json(self.LIST_URI) @@ -509,7 +509,7 @@ class PreferenceUsersListViewTest(UserApiTestCase): @override_settings(DEBUG=True) @override_settings(EDX_API_KEY=None) def test_debug_auth(self): - self.assertHttpOK(self.client.get(self.LIST_URI)) + self.assertHttpForbidden(self.client.get(self.LIST_URI)) def test_get_basic(self): result = self.get_json(self.LIST_URI) diff --git a/openedx/core/lib/api/permissions.py b/openedx/core/lib/api/permissions.py index 6bbf3eef15..4f712a5c01 100644 --- a/openedx/core/lib/api/permissions.py +++ b/openedx/core/lib/api/permissions.py @@ -21,17 +21,13 @@ class ApiKeyHeaderPermission(permissions.BasePermission): """ Check for permissions by matching the configured API key and header - If settings.DEBUG is True and settings.EDX_API_KEY is not set or None, - then allow the request. Otherwise, allow the request if and only if - settings.EDX_API_KEY is set and the X-Edx-Api-Key HTTP header is - present in the request and matches the setting. + Allow the request if and only if settings.EDX_API_KEY is set and + the X-Edx-Api-Key HTTP header is present in the request and + matches the setting. """ api_key = getattr(settings, "EDX_API_KEY", None) - if settings.DEBUG and api_key is None: - return True - - elif api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key: + if api_key is not None and request.META.get("HTTP_X_EDX_API_KEY") == api_key: audit_log("ApiKeyHeaderPermission used", path=request.path, ip=request.META.get("REMOTE_ADDR"))