From b37a986656331d3e94f1c137bfa338f08218fe8a Mon Sep 17 00:00:00 2001 From: "zia.fazal@arbisoft.com" Date: Wed, 8 Apr 2020 14:53:32 +0500 Subject: [PATCH] Added global staff permission to third party auth users API --- .../third_party_auth/api/permissions.py | 3 ++- .../api/tests/test_permissions.py | 24 +++++++++---------- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/common/djangoapps/third_party_auth/api/permissions.py b/common/djangoapps/third_party_auth/api/permissions.py index 91f5e9fa71..94da048a6a 100644 --- a/common/djangoapps/third_party_auth/api/permissions.py +++ b/common/djangoapps/third_party_auth/api/permissions.py @@ -6,6 +6,7 @@ import logging from edx_rest_framework_extensions.auth.jwt.decoder import decode_jwt_filters from edx_rest_framework_extensions.permissions import ( + IsStaff, IsSuperuser, JwtHasScope, JwtRestrictedApplication, @@ -51,7 +52,7 @@ class JwtHasTpaProviderFilterForRequestedProvider(BasePermission): # TODO: Remove ApiKeyHeaderPermission. Check deprecated_api_key_header custom metric for active usage. _NOT_JWT_RESTRICTED_TPA_PERMISSIONS = ( C(NotJwtRestrictedApplication) & - (C(IsSuperuser) | ApiKeyHeaderPermission) + (C(IsSuperuser) | ApiKeyHeaderPermission | C(IsStaff)) ) _JWT_RESTRICTED_TPA_PERMISSIONS = ( C(JwtRestrictedApplication) & diff --git a/common/djangoapps/third_party_auth/api/tests/test_permissions.py b/common/djangoapps/third_party_auth/api/tests/test_permissions.py index 447c6f8214..ab9d3e42be 100644 --- a/common/djangoapps/third_party_auth/api/tests/test_permissions.py +++ b/common/djangoapps/third_party_auth/api/tests/test_permissions.py @@ -36,8 +36,8 @@ class ThirdPartyAuthPermissionTest(TestCase): def get(self, request, provider_id=None): return Response(data="Success") - def _create_user(self, is_superuser=False): - return UserFactory(username='this_user', is_superuser=is_superuser) + def _create_user(self, is_superuser=False, is_staff=False): + return UserFactory(username='this_user', is_superuser=is_superuser, is_staff=is_staff) def _create_request(self, auth_header=None): url = '/' @@ -56,21 +56,19 @@ class ThirdPartyAuthPermissionTest(TestCase): response = self.SomeTpaClassView().dispatch(request) self.assertEqual(response.status_code, 401) - def test_session_superuser_succeeds(self): - user = self._create_user(is_superuser=True) + @ddt.data( + (True, False, 200), + (False, True, 200), + (False, False, 403), + ) + @ddt.unpack + def test_session_with_user_permission(self, is_superuser, is_staff, expected_status_code): + user = self._create_user(is_superuser=is_superuser, is_staff=is_staff) request = self._create_request() self._create_session(request, user) response = self.SomeTpaClassView().dispatch(request) - self.assertEqual(response.status_code, 200) - - def test_session_user_fails(self): - user = self._create_user() - request = self._create_request() - self._create_session(request, user) - - response = self.SomeTpaClassView().dispatch(request) - self.assertEqual(response.status_code, 403) + self.assertEqual(response.status_code, expected_status_code) @ddt.data( # unrestricted (for example, jwt cookies)