Merge pull request #531 from edx/hotfix/jsa/user_api_basic_auth

make user api work with basic auth
2013-07-30 14:52:27 -07:00
parent 45d7444edf fc5d4aa745
commit c7ff657b4d
2 changed files with 17 additions and 0 deletions
--- a/lms/djangoapps/user_api/tests/test_views.py
+++ b/lms/djangoapps/user_api/tests/test_views.py
@@ -1,3 +1,5 @@
+import base64
+
 from django.contrib.auth.models import User
 from django.test import TestCase
 from django.test.utils import override_settings
@@ -31,6 +33,9 @@ class UserApiTestCase(TestCase):
            UserPreferenceFactory.create(user=self.users[1], key="key0")
        ]

+    def basic_auth(self, username, password):
+        return {'HTTP_AUTHORIZATION': 'Basic ' + base64.b64encode('%s:%s' % (username, password))}
+
    def request_with_auth(self, method, *args, **kwargs):
        """Issue a get request to the given URI with the API key header"""
        return getattr(self.client, method)(*args, HTTP_X_EDX_API_KEY=TEST_API_KEY, **kwargs)
@@ -127,6 +132,15 @@ class UserViewSetTest(UserApiTestCase):
    def test_debug_auth(self):
        self.assertHttpOK(self.client.get(self.LIST_URI))

+    @override_settings(DEBUG=False)
+    @override_settings(EDX_API_KEY=TEST_API_KEY)
+    def test_basic_auth(self):
+        # ensure that having basic auth headers in the mix does not break anything
+        self.assertHttpOK(
+                self.request_with_auth("get", self.LIST_URI, **self.basic_auth('someuser', 'somepass')))
+        self.assertHttpForbidden(
+                self.client.get(self.LIST_URI, **self.basic_auth('someuser', 'somepass')))
+
    def test_get_list_empty(self):
        User.objects.all().delete()
        result = self.get_json(self.LIST_URI)
--- a/lms/djangoapps/user_api/views.py
+++ b/lms/djangoapps/user_api/views.py
@@ -1,5 +1,6 @@
 from django.conf import settings
 from django.contrib.auth.models import User
+from rest_framework import authentication
 from rest_framework import filters
 from rest_framework import permissions
 from rest_framework import viewsets
@@ -25,6 +26,7 @@ class ApiKeyHeaderPermission(permissions.BasePermission):


 class UserViewSet(viewsets.ReadOnlyModelViewSet):
+    authentication_classes = (authentication.SessionAuthentication,)
    permission_classes = (ApiKeyHeaderPermission,)
    queryset = User.objects.all()
    serializer_class = UserSerializer
@@ -33,6 +35,7 @@ class UserViewSet(viewsets.ReadOnlyModelViewSet):


 class UserPreferenceViewSet(viewsets.ReadOnlyModelViewSet):
+    authentication_classes = (authentication.SessionAuthentication,)
    permission_classes = (ApiKeyHeaderPermission,)
    queryset = UserPreference.objects.all()
    filter_backends = (filters.DjangoFilterBackend,)