def setUp(self):
super(UserManagerRoleViewsTest, self).setUp()
self.user = User.objects.create(username='******',
email='*****@*****.**',
is_staff=True)
self.user.set_password('test')
self.user.save()
self.client = APIClient()
self.client.force_authenticate(user=self.user)
self.users = list(self._create_users())
self.managers = list(self._create_managers())
for user in self.users[:5]:
UserManagerRole.objects.create(manager_user=self.managers[0],
user=user)
for user in self.users[5:]:
UserManagerRole.objects.create(manager_user=self.managers[1],
user=user)
UserManagerRole.objects.create(manager_user=self.managers[1],
user=self.users[0])
patcher = patch.object(ManagerViewMixin,
'get_authenticators',
return_value=[SessionAuthentication()])
patcher.start()
self.addCleanup(patcher.__exit__, None, None, None)
def login(self, request, *args, **kwargs):
# django-rest-framework doesn't do this for logged out requests
SessionAuthentication().enforce_csrf(request)
if request.user.is_authenticated:
raise ParseError(_('Log out first.'))
data = get_api_post_data(request)
if 'token' in data:
try:
token = Token.get_by_token(data['token'])
except Token.DoesNotExist:
raise PermissionDenied(_('This token does not exist or is no longer valid.'))
user = token.user
elif 'username' in data:
form = AuthenticationForm(request, data=data)
if not form.is_valid():
raise ParseError(form.errors)
user = form.user_cache
else:
raise ParseError(_('You need to send a token or username and password.'))
login(request, user)
return Response({
'detail': _('Login successful.'),
'csrf_token': csrf.get_token(request),
})
def get(self, request):
rest_request = Request(request)
try:
user_token = TokenAuthentication().authenticate(rest_request)
if user_token is None:
raise AuthenticationFailed
user, token = user_token
except AuthenticationFailed:
try:
user_session = SessionAuthentication().authenticate(
rest_request)
if user_session is None:
raise AuthenticationFailed
user, _ = user_session
if not user.has_perm('base.consume_curriculum'):
raise AuthenticationFailed
token, _ = Token.objects.get_or_create(user=user)
except AuthenticationFailed:
return JsonResponse({
'authenticated': False,
})
socialuser = SocialUser.user_for_django_user(user.id)
return JsonResponse({
'authenticated': True,
'preferencesInitialized': socialuser.has_initialized_preferences,
'token': token.key,
})
def get_direct_queryset(cls, request, **initkwargs):
"""
TODO: Temporary until a better way is found
"""
self = cls(**initkwargs)
request = Request(request, authenticators=(BasicAuthentication(), SessionAuthentication()))
self.request = request
return self.get_queryset()
def deactivate(self, request, *args, **kwargs):
# django-rest-framework doesn't automatically do this for logged out requests
SessionAuthentication().enforce_csrf(request)
request.session.pop('changeset', None)
request.session['direct_editing'] = False
return Response({
'success': True,
})
class AuthFsDavView(RestAuthViewMixIn, DavView):
"""
Special View providing Authentication for our Webdav Resource
"""
authentications = (CachedBasicAuthentication(), SessionAuthentication())
@method_decorator(csrf_exempt)
@transaction.atomic
def dispatch(self, request, *args, **kwargs):
drive = kwargs.get('drive', None)
if 'path' not in kwargs:
kwargs['path'] = ""
if drive:
drive = Drive.objects.filter(pk=drive).first()
# check that the drive exists
if not drive:
raise Http404
# temporarily raise a 404 if the drive is a DSS drive
if drive.is_dss_drive:
raise Http404
# ToDo: We need to do a permission check here, but request.user is not set here, as it gets set
# ToDo: in the dispatch method of the super class
# ToDo: However, collection_model_qs() should not return any directories, if they are not viewable
request.drive = drive
del kwargs['drive']
project = kwargs.get('project', None)
if project:
project = Project.objects.filter(pk=project).first()
if not project:
raise Http404
request.project = project
del kwargs['project']
if 'drive_title' in kwargs:
del kwargs['drive_title']
if 'project_title' in kwargs:
del kwargs['project_title']
# continue
return super(AuthFsDavView, self).dispatch(request, *args, **kwargs)
def logout(self, request, *args, **kwargs):
# django-rest-framework doesn't do this for logged out requests
SessionAuthentication().enforce_csrf(request)
if not request.user.is_authenticated:
return ParseError(_('Not logged in.'))
logout(request)
return Response({
'detail': _('Logout successful.'),
'csrf_token': csrf.get_token(request),
})
def setUp(self):
super(CompletionBlockUpdateViewTestCase, self).setUp()
self.test_user = User.objects.create(username='******')
self.staff_user = User.objects.create(username='******', is_staff=True)
self.test_enrollment = self.create_enrollment(
user=self.test_user,
course_id=self.course_key,
)
self.blocks = [
self.course_key.make_usage_key('course', 'course'),
self.course_key.make_usage_key('sequential', 'course-sequence1'),
self.course_key.make_usage_key('sequential', 'course-sequence2'),
self.course_key.make_usage_key('html', 'course-sequence1-html1'),
self.course_key.make_usage_key('html', 'course-sequence1-html2'),
self.course_key.make_usage_key('html', 'course-sequence1-html3'),
self.course_key.make_usage_key('html', 'course-sequence1-html4'),
self.course_key.make_usage_key('html', 'course-sequence1-html5'),
self.course_key.make_usage_key('html', 'course-sequence2-html6'),
self.course_key.make_usage_key('html', 'course-sequence2-html7'),
self.course_key.make_usage_key('html', 'course-sequence2-html8'),
]
compat = StubCompat(self.blocks)
for compat_import in (
'completion_aggregator.api.common.compat',
'completion_aggregator.api.v0.views.compat',
'completion_aggregator.serializers.compat',
'completion_aggregator.core.compat',
):
patcher = patch(compat_import, compat)
patcher.start()
self.addCleanup(patcher.__exit__, None, None, None)
self.patch_object(
CompletionViewMixin,
'get_authenticators',
return_value=[OAuth2Authentication(),
SessionAuthentication()])
self.patch_object(CompletionViewMixin,
'pagination_class',
new_callable=PropertyMock,
return_value=PageNumberPagination)
self.client = APIClient()
self.client.force_authenticate(user=self.test_user)
self.update_url = reverse('completion_api_v0:blockcompletion-update',
kwargs={
'course_key':
six.text_type(self.course_key),
'block_key':
six.text_type(self.usage_key)
})
def get_token(self, request, *args, **kwargs):
# django-rest-framework doesn't do this for logged out requests
SessionAuthentication().enforce_csrf(request)
data = get_api_post_data(request)
form = AuthenticationForm(request, data=data)
if not form.is_valid():
raise ParseError(form.errors)
token = form.user_cache.login_tokens.create()
return Response({
'token': token.get_token(),
})
def direct_editing(self, request, *args, **kwargs):
# django-rest-framework doesn't automatically do this for logged out requests
SessionAuthentication().enforce_csrf(request)
if not ChangeSet.can_direct_edit(request):
raise PermissionDenied(_('You don\'t have the permission to activate direct editing.'))
changeset = ChangeSet.get_for_request(request)
if changeset.pk is not None:
raise PermissionDenied(_('You cannot activate direct editing if you have an active changeset.'))
request.session['direct_editing'] = True
return Response({
'success': True,
})
def get_authenticators(self):
if self.request.method == 'post':
return []
else:
return [SessionAuthentication(), JSONWebTokenAuthentication()]
def post_or_delete(self, request, *args, **kwargs):
# django-rest-framework doesn't automatically do this for logged out requests
SessionAuthentication().enforce_csrf(request)
return self.retrieve(request, *args, **kwargs)
def enforce_csrf(self, request):
if request.path.startswith('/api'):
return
else:
return SessionAuthentication.enforce_csrf(
CsrfExemptSessionAuthentication, request)
def get_authenticators(self) -> list:
authenticators: list = super().get_authenticators()
if getattr(self.request, 'is_internal', False):
authenticators.append(SessionAuthentication())
return authenticators
def enforce_csrf(self, request):
if getattr(request, '_basic_authenticated', False):
# This request was not authenticated by the django session security module,
# so its CSRF check will fail. Avoid.
return
_RestSessionAuthentication.enforce_csrf(self, request)
class AuthFsDavView(RestAuthViewMixIn, DavView):
authentications = (BasicAuthentication(), SessionAuthentication())
def enforce_csrf(self, request):
if request.method == 'POST' and request.path == '/api/profile/':
return
return SessionAuthentication.enforce_csrf(self, request)