Merge pull request #24424 from edx/ddumesnil/aa-226

AA-226: Adding Authentication classes to endpoints for mobile use

lms/djangoapps/course_home_api/dates/v1/tests/test_views.py

@@ -48,7 +48,7 @@ class DatesTabTestViews(BaseCourseHomeTests):
     def test_get_unauthenticated_user(self):
         self.client.logout()
         response = self.client.get(self.url)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 401)
 
     @COURSE_HOME_MICROFRONTEND.override(active=True)
     @COURSE_HOME_MICROFRONTEND_DATES_TAB.override(active=True)

lms/djangoapps/course_home_api/dates/v1/views.py

@@ -8,6 +8,8 @@ from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
 from edx_django_utils import monitoring as monitoring_utils
+from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
+from edx_rest_framework_extensions.auth.session.authentication import SessionAuthenticationAllowInactiveUser
 from opaque_keys.edx.keys import CourseKey
 
 from lms.djangoapps.courseware.access import has_access
@@ -17,6 +19,7 @@ from lms.djangoapps.courseware.date_summary import TodaysDate, verified_upgrade_
 from lms.djangoapps.courseware.masquerade import setup_masquerade
 from lms.djangoapps.course_home_api.dates.v1.serializers import DatesTabSerializer
 from lms.djangoapps.course_home_api.toggles import course_home_mfe_dates_tab_is_active
+from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser
 from openedx.features.course_experience.utils import dates_banner_should_display
 from openedx.features.content_type_gating.models import ContentTypeGatingConfig
 
@@ -54,10 +57,15 @@ class DatesTabView(RetrieveAPIView):
     **Returns**
 
         * 200 on success with above fields.
-        * 403 if the user is not authenticated.
+        * 401 if the user is not authenticated.
         * 404 if the course is not available or cannot be seen.
     """
 
+    authentication_classes = (
+        JwtAuthentication,
+        BearerAuthenticationAllowInactiveUser,
+        SessionAuthenticationAllowInactiveUser,
+    )
     permission_classes = (IsAuthenticated,)
     serializer_class = DatesTabSerializer
 

openedx/features/course_experience/api/v1/tests/test_views.py

@@ -29,3 +29,8 @@ class ResetCourseDeadlinesViewTests(BaseCourseHomeTests):
             reverse('course-experience-reset-course-deadlines'), {'course_key': self.course.id, 'invalid': 'value'}
         )
         self.assertEqual(response.status_code, 400)
+
+    def test_post_unauthenticated_user(self):
+        self.client.logout()
+        response = self.client.post(reverse('course-experience-reset-course-deadlines'), {'course_key': self.course.id})
+        self.assertEqual(response.status_code, 401)

openedx/features/course_experience/api/v1/views.py

-from rest_framework.decorators import api_view, permission_classes
+from rest_framework.decorators import api_view, authentication_classes, permission_classes
 from rest_framework.exceptions import APIException, ParseError
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
+from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
+from edx_rest_framework_extensions.auth.session.authentication import SessionAuthenticationAllowInactiveUser
+
 from openedx.core.djangoapps.schedules.utils import reset_self_paced_schedule
+from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser
 
 
 class UnableToResetDeadlines(APIException):
@@ -12,8 +16,11 @@ class UnableToResetDeadlines(APIException):
     default_code = 'unable_to_reset_deadlines'
 
 
-@permission_classes((IsAuthenticated,))
 @api_view(['POST'])
+@authentication_classes((
+    JwtAuthentication, BearerAuthenticationAllowInactiveUser, SessionAuthenticationAllowInactiveUser,
+))
+@permission_classes((IsAuthenticated,))
 def reset_course_deadlines(request):
     course_key = request.data.get('course_key', None)