diff --git a/lms/djangoapps/commerce/api/v0/tests/test_views.py b/lms/djangoapps/commerce/api/v0/tests/test_views.py index 4215be4d23..8724ffb86b 100644 --- a/lms/djangoapps/commerce/api/v0/tests/test_views.py +++ b/lms/djangoapps/commerce/api/v0/tests/test_views.py @@ -100,10 +100,10 @@ class BasketsViewTests(EnrollmentEventTestMixin, UserMixin, ModuleStoreTestCase) def test_login_required(self): """ - The view should return HTTP 403 status if the user is not logged in. + The view should return HTTP 401 status if the user is not logged in. """ self.client.logout() - self.assertEqual(403, self._post_to_view().status_code) + self.assertEqual(401, self._post_to_view().status_code) @ddt.data('delete', 'get', 'put') def test_post_required(self, method): diff --git a/lms/djangoapps/commerce/api/v0/views.py b/lms/djangoapps/commerce/api/v0/views.py index 4dc28a2491..7a39f6ba44 100644 --- a/lms/djangoapps/commerce/api/v0/views.py +++ b/lms/djangoapps/commerce/api/v0/views.py @@ -5,6 +5,7 @@ from django.urls import reverse from edx_rest_api_client import exceptions from opaque_keys import InvalidKeyError from opaque_keys.edx.keys import CourseKey +from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication from rest_framework.authentication import SessionAuthentication from rest_framework.permissions import IsAuthenticated from rest_framework.status import HTTP_406_NOT_ACCEPTABLE, HTTP_409_CONFLICT @@ -35,7 +36,9 @@ class BasketsView(APIView): """ Creates a basket with a course seat and enrolls users. """ # LMS utilizes User.user_is_active to indicate email verification, not whether an account is active. Sigh! - authentication_classes = (EnrollmentCrossDomainSessionAuth, OAuth2AuthenticationAllowInactiveUser) + authentication_classes = (JwtAuthentication, + OAuth2AuthenticationAllowInactiveUser, + EnrollmentCrossDomainSessionAuth) permission_classes = (IsAuthenticated,) def _is_data_valid(self, request):