From 4f0415f5cb7f8322a0738cb1d55c7102464d3aef Mon Sep 17 00:00:00 2001 From: stvn Date: Tue, 13 Apr 2021 14:46:34 -0700 Subject: [PATCH 1/2] test: Add tests for discussions API access This checks for expected API access [1]; data integrity will be checked later [2]. This work exposes that the code currently does _not_ grant access to _course_ staff, only _global_ staff. This is being addressed next [3]. Fix: TNL-8229 [1] - [1] https://openedx.atlassian.net/browse/TNL-8229 - [2] https://openedx.atlassian.net/browse/TNL-8230 - [3] https://openedx.atlassian.net/browse/TNL-8231 --- .../discussions/tests/test_views.py | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 openedx/core/djangoapps/discussions/tests/test_views.py diff --git a/openedx/core/djangoapps/discussions/tests/test_views.py b/openedx/core/djangoapps/discussions/tests/test_views.py new file mode 100644 index 0000000000..42f4e2af05 --- /dev/null +++ b/openedx/core/djangoapps/discussions/tests/test_views.py @@ -0,0 +1,93 @@ +""" +Test app view logic +""" +# pylint: disable=test-inherits-tests +import unittest + +from django.conf import settings +from django.urls import reverse +from opaque_keys.edx.keys import CourseKey +from rest_framework import status +from rest_framework.test import APITestCase + +from common.djangoapps.student.tests.factories import UserFactory +from lms.djangoapps.courseware.tests.factories import GlobalStaffFactory +from lms.djangoapps.courseware.tests.factories import StaffFactory + + +@unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'URLs are only configured in LMS') +class ApiTest(APITestCase): + """ + Test basic API operations + """ + def setUp(self): + super().setUp() + self.course_key = CourseKey.from_string('course-v1:Test+Course+Configured') + self.url = reverse( + 'discussions', + kwargs={ + 'course_key_string': str(self.course_key), + } + ) + self.password = 'password' + self.user_student = UserFactory(username='dummy', password=self.password) + self.user_staff_course = StaffFactory(course_key=self.course_key, password=self.password) + self.user_staff_global = GlobalStaffFactory(password=self.password) + + +class UnauthorizedApiTest(ApiTest): + """ + Logged-out users should _not_ have any access + """ + + expected_response_code = status.HTTP_401_UNAUTHORIZED + + def test_access_get(self): + response = self.client.get(self.url) + assert response.status_code == self.expected_response_code + + def test_access_patch(self): + response = self.client.patch(self.url) + assert response.status_code == self.expected_response_code + + def test_access_post(self): + response = self.client.post(self.url) + assert response.status_code == self.expected_response_code + + def test_access_put(self): + response = self.client.put(self.url) + assert response.status_code == self.expected_response_code + + +class AuthenticatedApiTest(UnauthorizedApiTest): + """ + Logged-in users should _not_ have any access + """ + + expected_response_code = status.HTTP_403_FORBIDDEN + + def setUp(self): + super().setUp() + self._login() + + def _login(self): + self.client.login(username=self.user_student.username, password=self.password) + + +class AuthorizedApiTest(AuthenticatedApiTest): + """ + Global Staff should have access to all supported methods + """ + + expected_response_code = status.HTTP_200_OK + + def _login(self): + self.client.login(username=self.user_staff_global.username, password=self.password) + + def test_access_patch(self): + response = self.client.patch(self.url) + assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED + + def test_access_put(self): + response = self.client.put(self.url) + assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED From eba78682c91070492d8f91905048a94a6f5d306e Mon Sep 17 00:00:00 2001 From: stvn Date: Tue, 13 Apr 2021 15:04:22 -0700 Subject: [PATCH 2/2] test: Test (incorrect) behavior of discussions API access As implemented, course staff members will not have access to this API endpoint. This will be addressed with pending work [1]. - [1] https://openedx.atlassian.net/browse/TNL-8231 --- .../core/djangoapps/discussions/tests/test_views.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/openedx/core/djangoapps/discussions/tests/test_views.py b/openedx/core/djangoapps/discussions/tests/test_views.py index 42f4e2af05..7fc6228ad0 100644 --- a/openedx/core/djangoapps/discussions/tests/test_views.py +++ b/openedx/core/djangoapps/discussions/tests/test_views.py @@ -91,3 +91,15 @@ class AuthorizedApiTest(AuthenticatedApiTest): def test_access_put(self): response = self.client.put(self.url) assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED + + +class CourseStaffAuthorizedTest(UnauthorizedApiTest): + """ + Course Staff should have the same access as Global Staff + + TODO: This behavior should be changed to _allow_ access [1] + - [1] https://openedx.atlassian.net/browse/TNL-8231 + """ + + def _login(self): + self.client.login(username=self.user_staff_course.username, password=self.password)