diff --git a/lms/djangoapps/course_home_api/dates/v1/tests/test_views.py b/lms/djangoapps/course_home_api/dates/v1/tests/test_views.py index 7d103551fd..467a6492d9 100644 --- a/lms/djangoapps/course_home_api/dates/v1/tests/test_views.py +++ b/lms/djangoapps/course_home_api/dates/v1/tests/test_views.py @@ -48,7 +48,7 @@ class DatesTabTestViews(BaseCourseHomeTests): def test_get_unauthenticated_user(self): self.client.logout() response = self.client.get(self.url) - self.assertEqual(response.status_code, 403) + self.assertEqual(response.status_code, 401) @COURSE_HOME_MICROFRONTEND.override(active=True) @COURSE_HOME_MICROFRONTEND_DATES_TAB.override(active=True) diff --git a/lms/djangoapps/course_home_api/dates/v1/views.py b/lms/djangoapps/course_home_api/dates/v1/views.py index 2f67db1f7e..27e651873e 100644 --- a/lms/djangoapps/course_home_api/dates/v1/views.py +++ b/lms/djangoapps/course_home_api/dates/v1/views.py @@ -8,6 +8,8 @@ from rest_framework.permissions import IsAuthenticated from rest_framework.response import Response from edx_django_utils import monitoring as monitoring_utils +from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication +from edx_rest_framework_extensions.auth.session.authentication import SessionAuthenticationAllowInactiveUser from opaque_keys.edx.keys import CourseKey from lms.djangoapps.courseware.access import has_access @@ -17,6 +19,7 @@ from lms.djangoapps.courseware.date_summary import TodaysDate, verified_upgrade_ from lms.djangoapps.courseware.masquerade import setup_masquerade from lms.djangoapps.course_home_api.dates.v1.serializers import DatesTabSerializer from lms.djangoapps.course_home_api.toggles import course_home_mfe_dates_tab_is_active +from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser from openedx.features.course_experience.utils import dates_banner_should_display from openedx.features.content_type_gating.models import ContentTypeGatingConfig @@ -52,10 +55,15 @@ class DatesTabView(RetrieveAPIView): **Returns** * 200 on success with above fields. - * 403 if the user is not authenticated. + * 401 if the user is not authenticated. * 404 if the course is not available or cannot be seen. """ + authentication_classes = ( + JwtAuthentication, + BearerAuthenticationAllowInactiveUser, + SessionAuthenticationAllowInactiveUser, + ) permission_classes = (IsAuthenticated,) serializer_class = DatesTabSerializer diff --git a/openedx/features/course_experience/api/v1/tests/test_views.py b/openedx/features/course_experience/api/v1/tests/test_views.py index adcf340aa0..4185ab7a41 100644 --- a/openedx/features/course_experience/api/v1/tests/test_views.py +++ b/openedx/features/course_experience/api/v1/tests/test_views.py @@ -29,3 +29,8 @@ class ResetCourseDeadlinesViewTests(BaseCourseHomeTests): reverse('course-experience-reset-course-deadlines'), {'course_key': self.course.id, 'invalid': 'value'} ) self.assertEqual(response.status_code, 400) + + def test_post_unauthenticated_user(self): + self.client.logout() + response = self.client.post(reverse('course-experience-reset-course-deadlines'), {'course_key': self.course.id}) + self.assertEqual(response.status_code, 401) diff --git a/openedx/features/course_experience/api/v1/views.py b/openedx/features/course_experience/api/v1/views.py index 52871acdd4..f64ed576a4 100644 --- a/openedx/features/course_experience/api/v1/views.py +++ b/openedx/features/course_experience/api/v1/views.py @@ -1,9 +1,13 @@ -from rest_framework.decorators import api_view, permission_classes +from rest_framework.decorators import api_view, authentication_classes, permission_classes from rest_framework.exceptions import APIException, ParseError from rest_framework.permissions import IsAuthenticated from rest_framework.response import Response +from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication +from edx_rest_framework_extensions.auth.session.authentication import SessionAuthenticationAllowInactiveUser + from openedx.core.djangoapps.schedules.utils import reset_self_paced_schedule +from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser class UnableToResetDeadlines(APIException): @@ -12,8 +16,11 @@ class UnableToResetDeadlines(APIException): default_code = 'unable_to_reset_deadlines' -@permission_classes((IsAuthenticated,)) @api_view(['POST']) +@authentication_classes(( + JwtAuthentication, BearerAuthenticationAllowInactiveUser, SessionAuthenticationAllowInactiveUser, +)) +@permission_classes((IsAuthenticated,)) def reset_course_deadlines(request): course_key = request.data.get('course_key', None)