From ee7555e85fb935b192d713f2512948978ac4afc5 Mon Sep 17 00:00:00 2001 From: Ahsan Ulhaq Date: Wed, 26 Sep 2018 17:13:17 +0500 Subject: [PATCH] update usage of SessionAuthenticationAllowInactiveUser LEARNER-6469 --- common/djangoapps/enrollment/views.py | 7 +-- .../djangoapps/third_party_auth/api/views.py | 6 +-- lms/djangoapps/badges/api/views.py | 6 +-- lms/djangoapps/ccx/api/v0/views.py | 6 +-- lms/djangoapps/certificates/apis/v0/views.py | 7 +-- lms/djangoapps/experiments/views.py | 3 +- lms/djangoapps/grades/api/v1/views.py | 7 +-- .../core/djangoapps/profile_images/views.py | 6 +-- .../djangoapps/user_api/accounts/views.py | 7 +-- .../djangoapps/user_api/preferences/views.py | 6 +-- openedx/core/djangoapps/user_api/views.py | 2 +- openedx/core/lib/api/authentication.py | 47 ------------------- openedx/core/lib/api/view_utils.py | 7 +-- requirements/edx/base.txt | 2 +- requirements/edx/development.txt | 2 +- requirements/edx/testing.txt | 2 +- 16 files changed, 26 insertions(+), 97 deletions(-) diff --git a/common/djangoapps/enrollment/views.py b/common/djangoapps/enrollment/views.py index 35ecb2f994..e41203cdb4 100644 --- a/common/djangoapps/enrollment/views.py +++ b/common/djangoapps/enrollment/views.py @@ -10,7 +10,7 @@ from django.db import transaction from django.contrib.auth import get_user_model from django.core.exceptions import ObjectDoesNotExist from django.utils.decorators import method_decorator -from edx_rest_framework_extensions.authentication import JwtAuthentication +from edx_rest_framework_extensions.authentication import JwtAuthentication, SessionAuthenticationAllowInactiveUser from enrollment import api from enrollment.errors import CourseEnrollmentError, CourseEnrollmentExistsError, CourseModeNotFoundError from opaque_keys import InvalidKeyError @@ -23,10 +23,7 @@ from openedx.core.djangoapps.user_api.accounts.permissions import CanRetireUser from openedx.core.djangoapps.user_api.models import UserRetirementStatus from openedx.core.djangoapps.user_api.preferences.api import update_email_opt_in from openedx.core.djangoapps.course_groups.cohorts import add_user_to_cohort, get_cohort_by_name, CourseUserGroup -from openedx.core.lib.api.authentication import ( - OAuth2AuthenticationAllowInactiveUser, - SessionAuthenticationAllowInactiveUser -) +from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser from openedx.core.lib.api.permissions import ApiKeyHeaderPermission, ApiKeyHeaderPermissionIsAuthenticated from openedx.core.lib.exceptions import CourseNotFoundError from openedx.core.lib.log_utils import audit_log diff --git a/common/djangoapps/third_party_auth/api/views.py b/common/djangoapps/third_party_auth/api/views.py index e5effe7f30..b631d71204 100644 --- a/common/djangoapps/third_party_auth/api/views.py +++ b/common/djangoapps/third_party_auth/api/views.py @@ -4,6 +4,7 @@ Third Party Auth REST API views from django.contrib.auth.models import User from django.db.models import Q from django.http import Http404 +from edx_rest_framework_extensions.authentication import SessionAuthenticationAllowInactiveUser from rest_framework import exceptions, status from rest_framework.generics import ListAPIView from rest_framework.response import Response @@ -11,10 +12,7 @@ from rest_framework.views import APIView from rest_framework_oauth.authentication import OAuth2Authentication from social_django.models import UserSocialAuth -from openedx.core.lib.api.authentication import ( - OAuth2AuthenticationAllowInactiveUser, - SessionAuthenticationAllowInactiveUser -) +from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser from openedx.core.lib.api.permissions import ApiKeyHeaderPermission from third_party_auth import pipeline from third_party_auth.api import serializers diff --git a/lms/djangoapps/badges/api/views.py b/lms/djangoapps/badges/api/views.py index 32cb47e093..ece3167a52 100644 --- a/lms/djangoapps/badges/api/views.py +++ b/lms/djangoapps/badges/api/views.py @@ -1,6 +1,7 @@ """ API views for badges """ +from edx_rest_framework_extensions.authentication import SessionAuthenticationAllowInactiveUser from opaque_keys import InvalidKeyError from opaque_keys.edx.django.models import CourseKeyField from opaque_keys.edx.keys import CourseKey @@ -9,10 +10,7 @@ from rest_framework.exceptions import APIException from badges.models import BadgeAssertion from openedx.core.djangoapps.user_api.permissions import is_field_shared_factory -from openedx.core.lib.api.authentication import ( - OAuth2AuthenticationAllowInactiveUser, - SessionAuthenticationAllowInactiveUser -) +from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser from .serializers import BadgeAssertionSerializer diff --git a/lms/djangoapps/ccx/api/v0/views.py b/lms/djangoapps/ccx/api/v0/views.py index 5cb6513645..de5e1d7dce 100644 --- a/lms/djangoapps/ccx/api/v0/views.py +++ b/lms/djangoapps/ccx/api/v0/views.py @@ -9,7 +9,7 @@ from ccx_keys.locator import CCXLocator from django.contrib.auth.models import User from django.db import transaction from django.http import Http404 -from edx_rest_framework_extensions.authentication import JwtAuthentication +from edx_rest_framework_extensions.authentication import JwtAuthentication, SessionAuthenticationAllowInactiveUser from opaque_keys import InvalidKeyError from opaque_keys.edx.keys import CourseKey, UsageKey from rest_framework import status @@ -355,7 +355,7 @@ class CCXListView(GenericAPIView): authentication_classes = ( JwtAuthentication, authentication.OAuth2AuthenticationAllowInactiveUser, - authentication.SessionAuthenticationAllowInactiveUser, + SessionAuthenticationAllowInactiveUser, ) permission_classes = (IsAuthenticated, permissions.IsMasterCourseStaffInstructor) serializer_class = CCXCourseSerializer @@ -611,7 +611,7 @@ class CCXDetailView(GenericAPIView): authentication_classes = ( JwtAuthentication, authentication.OAuth2AuthenticationAllowInactiveUser, - authentication.SessionAuthenticationAllowInactiveUser, + SessionAuthenticationAllowInactiveUser, ) permission_classes = (IsAuthenticated, permissions.IsCourseStaffInstructor) serializer_class = CCXCourseSerializer diff --git a/lms/djangoapps/certificates/apis/v0/views.py b/lms/djangoapps/certificates/apis/v0/views.py index 565f86244b..21874dda23 100644 --- a/lms/djangoapps/certificates/apis/v0/views.py +++ b/lms/djangoapps/certificates/apis/v0/views.py @@ -5,14 +5,11 @@ from rest_framework.generics import GenericAPIView from rest_framework.response import Response from edx_rest_framework_extensions import permissions -from edx_rest_framework_extensions.authentication import JwtAuthentication +from edx_rest_framework_extensions.authentication import JwtAuthentication, SessionAuthenticationAllowInactiveUser from lms.djangoapps.certificates.api import get_certificate_for_user from opaque_keys import InvalidKeyError from opaque_keys.edx.keys import CourseKey -from openedx.core.lib.api.authentication import ( - OAuth2AuthenticationAllowInactiveUser, - SessionAuthenticationAllowInactiveUser -) +from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser log = logging.getLogger(__name__) diff --git a/lms/djangoapps/experiments/views.py b/lms/djangoapps/experiments/views.py index a22f66b39e..ccbc4f9797 100644 --- a/lms/djangoapps/experiments/views.py +++ b/lms/djangoapps/experiments/views.py @@ -1,7 +1,7 @@ from django.contrib.auth import get_user_model from django.db import transaction from django_filters.rest_framework import DjangoFilterBackend -from edx_rest_framework_extensions.authentication import JwtAuthentication +from edx_rest_framework_extensions.authentication import JwtAuthentication, SessionAuthenticationAllowInactiveUser from rest_framework import permissions, viewsets from rest_framework.decorators import list_route from rest_framework.response import Response @@ -9,7 +9,6 @@ from rest_framework.response import Response from experiments import filters, serializers from experiments.models import ExperimentData, ExperimentKeyValue from experiments.permissions import IsStaffOrOwner, IsStaffOrReadOnly -from openedx.core.lib.api.authentication import SessionAuthenticationAllowInactiveUser from openedx.core.djangoapps.cors_csrf.authentication import SessionAuthenticationCrossDomainCsrf User = get_user_model() # pylint: disable=invalid-name diff --git a/lms/djangoapps/grades/api/v1/views.py b/lms/djangoapps/grades/api/v1/views.py index 87aa3c12fd..9d05b2cfd3 100644 --- a/lms/djangoapps/grades/api/v1/views.py +++ b/lms/djangoapps/grades/api/v1/views.py @@ -8,16 +8,13 @@ from rest_framework.generics import GenericAPIView from rest_framework.response import Response from edx_rest_framework_extensions import permissions -from edx_rest_framework_extensions.authentication import JwtAuthentication +from edx_rest_framework_extensions.authentication import JwtAuthentication, SessionAuthenticationAllowInactiveUser from enrollment import data as enrollment_data from lms.djangoapps.grades.course_grade_factory import CourseGradeFactory from opaque_keys import InvalidKeyError from opaque_keys.edx.keys import CourseKey from openedx.core.djangoapps.content.course_overviews.models import CourseOverview -from openedx.core.lib.api.authentication import ( - OAuth2AuthenticationAllowInactiveUser, - SessionAuthenticationAllowInactiveUser -) +from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin from student.models import CourseEnrollment diff --git a/openedx/core/djangoapps/profile_images/views.py b/openedx/core/djangoapps/profile_images/views.py index a907f34f7a..52a2ef66d2 100644 --- a/openedx/core/djangoapps/profile_images/views.py +++ b/openedx/core/djangoapps/profile_images/views.py @@ -8,6 +8,7 @@ from contextlib import closing from pytz import UTC from django.utils.translation import ugettext as _ +from edx_rest_framework_extensions.authentication import SessionAuthenticationAllowInactiveUser from rest_framework import permissions, status from rest_framework.parsers import FormParser, MultiPartParser from rest_framework.response import Response @@ -16,10 +17,7 @@ from six import text_type from openedx.core.djangoapps.user_api.accounts.image_helpers import get_profile_image_names, set_has_profile_image from openedx.core.djangoapps.user_api.errors import UserNotFound -from openedx.core.lib.api.authentication import ( - OAuth2AuthenticationAllowInactiveUser, - SessionAuthenticationAllowInactiveUser -) +from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser from openedx.core.lib.api.parsers import TypedFileUploadParser from openedx.core.lib.api.permissions import IsUserInUrl from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin diff --git a/openedx/core/djangoapps/user_api/accounts/views.py b/openedx/core/djangoapps/user_api/accounts/views.py index da924c29a8..4dd254363a 100644 --- a/openedx/core/djangoapps/user_api/accounts/views.py +++ b/openedx/core/djangoapps/user_api/accounts/views.py @@ -17,7 +17,7 @@ from django.db import transaction from django.utils.translation import ugettext as _ from edx_ace import ace from edx_ace.recipient import Recipient -from edx_rest_framework_extensions.authentication import JwtAuthentication +from edx_rest_framework_extensions.authentication import JwtAuthentication, SessionAuthenticationAllowInactiveUser from enterprise.models import EnterpriseCourseEnrollment, EnterpriseCustomerUser, PendingEnterpriseCustomerUser from integrated_channels.degreed.models import DegreedLearnerDataTransmissionAudit from integrated_channels.sap_success_factors.models import SapSuccessFactorsLearnerDataTransmissionAudit @@ -41,10 +41,7 @@ from openedx.core.djangoapps.course_groups.models import UnregisteredLearnerCoho from openedx.core.djangoapps.profile_images.images import remove_profile_images from openedx.core.djangoapps.user_api.accounts.image_helpers import get_profile_image_names, set_has_profile_image from openedx.core.djangolib.oauth2_retirement_utils import retire_dot_oauth2_models, retire_dop_oauth2_models -from openedx.core.lib.api.authentication import ( - OAuth2AuthenticationAllowInactiveUser, - SessionAuthenticationAllowInactiveUser -) +from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser from openedx.core.lib.api.parsers import MergePatchParser from student.models import ( CourseEnrollment, diff --git a/openedx/core/djangoapps/user_api/preferences/views.py b/openedx/core/djangoapps/user_api/preferences/views.py index 956ed291b0..227b4fd776 100644 --- a/openedx/core/djangoapps/user_api/preferences/views.py +++ b/openedx/core/djangoapps/user_api/preferences/views.py @@ -11,11 +11,9 @@ from rest_framework import permissions from django.db import transaction from django.utils.translation import ugettext as _ +from edx_rest_framework_extensions.authentication import SessionAuthenticationAllowInactiveUser -from openedx.core.lib.api.authentication import ( - SessionAuthenticationAllowInactiveUser, - OAuth2AuthenticationAllowInactiveUser, -) +from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser from openedx.core.lib.api.parsers import MergePatchParser from openedx.core.lib.api.permissions import IsUserInUrlOrStaff from ..errors import UserNotFound, UserNotAuthorized, PreferenceValidationError, PreferenceUpdateError diff --git a/openedx/core/djangoapps/user_api/views.py b/openedx/core/djangoapps/user_api/views.py index e505d6154d..e5a175f59b 100644 --- a/openedx/core/djangoapps/user_api/views.py +++ b/openedx/core/djangoapps/user_api/views.py @@ -17,6 +17,7 @@ from six import text_type import accounts from django_comment_common.models import Role +from edx_rest_framework_extensions.authentication import SessionAuthenticationAllowInactiveUser from opaque_keys import InvalidKeyError from opaque_keys.edx import locator from opaque_keys.edx.keys import CourseKey @@ -32,7 +33,6 @@ from openedx.core.djangoapps.user_api.preferences.api import get_country_time_zo from openedx.core.djangoapps.user_api.serializers import CountryTimeZoneSerializer, UserPreferenceSerializer, UserSerializer from openedx.core.djangoapps.user_authn.cookies import set_logged_in_cookies from openedx.core.djangoapps.user_authn.views.register import create_account_with_params -from openedx.core.lib.api.authentication import SessionAuthenticationAllowInactiveUser from openedx.core.lib.api.permissions import ApiKeyHeaderPermission from student.helpers import AccountValidationError from util.json_request import JsonResponse diff --git a/openedx/core/lib/api/authentication.py b/openedx/core/lib/api/authentication.py index 4cf4c90828..ee94115a21 100644 --- a/openedx/core/lib/api/authentication.py +++ b/openedx/core/lib/api/authentication.py @@ -20,53 +20,6 @@ OAUTH2_TOKEN_ERROR_NOT_PROVIDED = u'token_not_provided' log = logging.getLogger(__name__) -class SessionAuthenticationAllowInactiveUser(SessionAuthentication): - """Ensure that the user is logged in, but do not require the account to be active. - - We use this in the special case that a user has created an account, - but has not yet activated it. We still want to allow the user to - enroll in courses, so we remove the usual restriction - on session authentication that requires an active account. - - You should use this authentication class ONLY for end-points that - it's safe for an un-activated user to access. For example, - we can allow a user to update his/her own enrollments without - activating an account. - - """ - def authenticate(self, request): - """Authenticate the user, requiring a logged-in account and CSRF. - - This is exactly the same as the `SessionAuthentication` implementation, - with the `user.is_active` check removed. - - Args: - request (HttpRequest) - - Returns: - Tuple of `(user, token)` - - Raises: - PermissionDenied: The CSRF token check failed. - - """ - # Get the underlying HttpRequest object - request = request._request # pylint: disable=protected-access - user = getattr(request, 'user', None) - - # Unauthenticated, CSRF validation not required - # This is where regular `SessionAuthentication` checks that the user is active. - # We have removed that check in this implementation. - # But we added a check to prevent anonymous users since we require a logged-in account. - if not user or user.is_anonymous: - return None - - self.enforce_csrf(request) - - # CSRF passed with authenticated user - return (user, None) - - class OAuth2AuthenticationAllowInactiveUser(OAuth2Authentication): """ This is a temporary workaround while the is_active field on the user is coupled diff --git a/openedx/core/lib/api/view_utils.py b/openedx/core/lib/api/view_utils.py index 8fa53c279a..ce227df0e3 100644 --- a/openedx/core/lib/api/view_utils.py +++ b/openedx/core/lib/api/view_utils.py @@ -4,7 +4,7 @@ Utilities related to API views from django.core.exceptions import NON_FIELD_ERRORS, ObjectDoesNotExist, ValidationError from django.http import Http404 from django.utils.translation import ugettext as _ -from edx_rest_framework_extensions.authentication import JwtAuthentication +from edx_rest_framework_extensions.authentication import JwtAuthentication, SessionAuthenticationAllowInactiveUser from rest_framework import status from rest_framework.exceptions import APIException from rest_framework.generics import GenericAPIView @@ -14,10 +14,7 @@ from rest_framework.request import clone_request from rest_framework.response import Response from six import text_type -from openedx.core.lib.api.authentication import ( - OAuth2AuthenticationAllowInactiveUser, - SessionAuthenticationAllowInactiveUser -) +from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser from openedx.core.lib.api.permissions import IsUserInUrl diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt index ba133c4977..4cc9699ebb 100644 --- a/requirements/edx/base.txt +++ b/requirements/edx/base.txt @@ -117,7 +117,7 @@ edx-django-oauth2-provider==1.3.5 edx-django-release-util==0.3.1 edx-django-sites-extensions==2.3.1 edx-django-utils==1.0.1 -edx-drf-extensions==1.9.0 +edx-drf-extensions==1.10.0 edx-enterprise==0.73.5 edx-i18n-tools==0.4.6 edx-milestones==0.1.13 diff --git a/requirements/edx/development.txt b/requirements/edx/development.txt index ed4dd027d7..b0a7cc5868 100644 --- a/requirements/edx/development.txt +++ b/requirements/edx/development.txt @@ -136,7 +136,7 @@ edx-django-oauth2-provider==1.3.5 edx-django-release-util==0.3.1 edx-django-sites-extensions==2.3.1 edx-django-utils==1.0.1 -edx-drf-extensions==1.9.0 +edx-drf-extensions==1.10.0 edx-enterprise==0.73.5 edx-i18n-tools==0.4.6 edx-lint==0.5.5 diff --git a/requirements/edx/testing.txt b/requirements/edx/testing.txt index 45565adfa7..9a93c8e3b9 100644 --- a/requirements/edx/testing.txt +++ b/requirements/edx/testing.txt @@ -131,7 +131,7 @@ edx-django-oauth2-provider==1.3.5 edx-django-release-util==0.3.1 edx-django-sites-extensions==2.3.1 edx-django-utils==1.0.1 -edx-drf-extensions==1.9.0 +edx-drf-extensions==1.10.0 edx-enterprise==0.73.5 edx-i18n-tools==0.4.6 edx-lint==0.5.5