Skip to content
Snippets Groups Projects
Commit b37a9866 authored by zia.fazal@arbisoft.com's avatar zia.fazal@arbisoft.com
Browse files

Added global staff permission to third party auth users API

parent 90885e41
Branches
Tags
No related merge requests found
......@@ -6,6 +6,7 @@ import logging
from edx_rest_framework_extensions.auth.jwt.decoder import decode_jwt_filters
from edx_rest_framework_extensions.permissions import (
IsStaff,
IsSuperuser,
JwtHasScope,
JwtRestrictedApplication,
......@@ -51,7 +52,7 @@ class JwtHasTpaProviderFilterForRequestedProvider(BasePermission):
# TODO: Remove ApiKeyHeaderPermission. Check deprecated_api_key_header custom metric for active usage.
_NOT_JWT_RESTRICTED_TPA_PERMISSIONS = (
C(NotJwtRestrictedApplication) &
(C(IsSuperuser) | ApiKeyHeaderPermission)
(C(IsSuperuser) | ApiKeyHeaderPermission | C(IsStaff))
)
_JWT_RESTRICTED_TPA_PERMISSIONS = (
C(JwtRestrictedApplication) &
......
......@@ -36,8 +36,8 @@ class ThirdPartyAuthPermissionTest(TestCase):
def get(self, request, provider_id=None):
return Response(data="Success")
def _create_user(self, is_superuser=False):
return UserFactory(username='this_user', is_superuser=is_superuser)
def _create_user(self, is_superuser=False, is_staff=False):
return UserFactory(username='this_user', is_superuser=is_superuser, is_staff=is_staff)
def _create_request(self, auth_header=None):
url = '/'
......@@ -56,21 +56,19 @@ class ThirdPartyAuthPermissionTest(TestCase):
response = self.SomeTpaClassView().dispatch(request)
self.assertEqual(response.status_code, 401)
def test_session_superuser_succeeds(self):
user = self._create_user(is_superuser=True)
request = self._create_request()
self._create_session(request, user)
response = self.SomeTpaClassView().dispatch(request)
self.assertEqual(response.status_code, 200)
def test_session_user_fails(self):
user = self._create_user()
@ddt.data(
(True, False, 200),
(False, True, 200),
(False, False, 403),
)
@ddt.unpack
def test_session_with_user_permission(self, is_superuser, is_staff, expected_status_code):
user = self._create_user(is_superuser=is_superuser, is_staff=is_staff)
request = self._create_request()
self._create_session(request, user)
response = self.SomeTpaClassView().dispatch(request)
self.assertEqual(response.status_code, 403)
self.assertEqual(response.status_code, expected_status_code)
@ddt.data(
# unrestricted (for example, jwt cookies)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment