From fb5a8098de77814f255ad9aa58f38bf7aeaf783a Mon Sep 17 00:00:00 2001 From: Will Daly Date: Thu, 23 Oct 2014 10:18:52 -0400 Subject: [PATCH] Disable auth for login and registration end-points --- common/djangoapps/user_api/tests/test_views.py | 16 ++++++++++++++++ common/djangoapps/user_api/views.py | 8 ++++++++ 2 files changed, 24 insertions(+) diff --git a/common/djangoapps/user_api/tests/test_views.py b/common/djangoapps/user_api/tests/test_views.py index 3014a94dbd..f84420ee79 100644 --- a/common/djangoapps/user_api/tests/test_views.py +++ b/common/djangoapps/user_api/tests/test_views.py @@ -111,6 +111,14 @@ class ApiTestCase(TestCase): """Assert that the given response has the status code 405""" self.assertEqual(response.status_code, 405) + def assertAuthDisabled(self, method, uri): + # Django rest framework interprets basic auth headers + # as an attempt to authenticate with the API. + # We don't want this for views available to anonymous users. + basic_auth_header = "Basic " + base64.b64encode('username:password') + response = getattr(self.client, method)(uri, HTTP_AUTHORIZATION=basic_auth_header) + self.assertNotEqual(response.status_code, 403) + class EmptyUserTestCase(ApiTestCase): def test_get_list_empty(self): @@ -561,6 +569,10 @@ class LoginSessionViewTest(ApiTestCase): super(LoginSessionViewTest, self).setUp() self.url = reverse("user_api_login_session") + @ddt.data("get", "post") + def test_auth_disabled(self, method): + self.assertAuthDisabled(method, self.url) + def test_allowed_methods(self): self.assertAllowedMethods(self.url, ["GET", "POST", "HEAD", "OPTIONS"]) @@ -725,6 +737,10 @@ class RegistrationViewTest(ApiTestCase): super(RegistrationViewTest, self).setUp() self.url = reverse("user_api_registration") + @ddt.data("get", "post") + def test_auth_disabled(self, method): + self.assertAuthDisabled(method, self.url) + def test_allowed_methods(self): self.assertAllowedMethods(self.url, ["GET", "POST", "HEAD", "OPTIONS"]) diff --git a/common/djangoapps/user_api/views.py b/common/djangoapps/user_api/views.py index d93ed7bb2b..a0a8cfd19a 100644 --- a/common/djangoapps/user_api/views.py +++ b/common/djangoapps/user_api/views.py @@ -50,6 +50,10 @@ class ApiKeyHeaderPermission(permissions.BasePermission): class LoginSessionView(APIView): """HTTP end-points for logging in users. """ + # This end-point is available to anonymous users, + # so do not require authentication. + authentication_classes = [] + def get(self, request): """Return a description of the login form. @@ -143,6 +147,10 @@ class RegistrationView(APIView): "honor_code", "terms_of_service", ] + # This end-point is available to anonymous users, + # so do not require authentication. + authentication_classes = [] + def _is_field_visible(self, field_name): """Check whether a field is visible based on Django settings. """ return self._extra_fields_setting.get(field_name) in ["required", "optional"]