Added global staff permission to third party auth users API

b37a9866 · zia.fazal@arbisoft.com · 90885e41 · b37a9866 · b37a9866
Commit b37a9866 authored 4 years ago by zia.fazal@arbisoft.com
--- a/common/djangoapps/third_party_auth/api/permissions.py
+++ b/common/djangoapps/third_party_auth/api/permissions.py
@@ -6,6 +6,7 @@ import logging

 from edx_rest_framework_extensions.auth.jwt.decoder import decode_jwt_filters
 from edx_rest_framework_extensions.permissions import (
+    IsStaff,
    IsSuperuser,
    JwtHasScope,
    JwtRestrictedApplication,
@@ -51,7 +52,7 @@ class JwtHasTpaProviderFilterForRequestedProvider(BasePermission):
 # TODO: Remove ApiKeyHeaderPermission. Check deprecated_api_key_header custom metric for active usage.
 _NOT_JWT_RESTRICTED_TPA_PERMISSIONS = (
    C(NotJwtRestrictedApplication) &
-    (C(IsSuperuser) | ApiKeyHeaderPermission)
+    (C(IsSuperuser) | ApiKeyHeaderPermission | C(IsStaff))
 )
 _JWT_RESTRICTED_TPA_PERMISSIONS = (
    C(JwtRestrictedApplication) &

--- a/common/djangoapps/third_party_auth/api/tests/test_permissions.py
+++ b/common/djangoapps/third_party_auth/api/tests/test_permissions.py
@@ -36,8 +36,8 @@ class ThirdPartyAuthPermissionTest(TestCase):
        def get(self, request, provider_id=None):
            return Response(data="Success")

-    def _create_user(self, is_superuser=False):
-        return UserFactory(username='this_user', is_superuser=is_superuser)
+    def _create_user(self, is_superuser=False, is_staff=False):
+        return UserFactory(username='this_user', is_superuser=is_superuser, is_staff=is_staff)

    def _create_request(self, auth_header=None):
        url = '/'
@@ -56,21 +56,19 @@ class ThirdPartyAuthPermissionTest(TestCase):
        response = self.SomeTpaClassView().dispatch(request)
        self.assertEqual(response.status_code, 401)

-    def test_session_superuser_succeeds(self):
-        user = self._create_user(is_superuser=True)
-        request = self._create_request()
-        self._create_session(request, user)
-
-        response = self.SomeTpaClassView().dispatch(request)
-        self.assertEqual(response.status_code, 200)
-
-    def test_session_user_fails(self):
-        user = self._create_user()
+    @ddt.data(
+        (True, False, 200),
+        (False, True, 200),
+        (False, False, 403),
+    )
+    @ddt.unpack
+    def test_session_with_user_permission(self, is_superuser, is_staff, expected_status_code):
+        user = self._create_user(is_superuser=is_superuser, is_staff=is_staff)
        request = self._create_request()
        self._create_session(request, user)

        response = self.SomeTpaClassView().dispatch(request)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, expected_status_code)

    @ddt.data(
        # unrestricted (for example, jwt cookies)