api: restrict API to authenticated admin users (fixes #31828)

It pays attention to custom authentication on the get federation endpoint based on apikeys defined in settings, this endpoint has no permission at all.
2019-03-28 17:06:48 +01:00 · 2019-03-28 17:06:48 +01:00 · 6d72fb60b1
parent c05abeb6d3
commit 6d72fb60b1
4 changed files with 22 additions and 6 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -277,11 +277,22 @@ def admin(db):


@pytest.fixture
-def app(request):
+def app(request, admin):
    wtm = django_webtest.WebTestMixin()
    wtm._patch_settings()
    request.addfinalizer(wtm._unpatch_settings)
-    return django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'})
+    app = django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'})
+    app.authorization = ('Basic', ('admin', 'admin'))
+    return app
+
+
+@pytest.fixture
+def app_noauth(request, admin):
+    wtm = django_webtest.WebTestMixin()
+    wtm._patch_settings()
+    request.addfinalizer(wtm._unpatch_settings)
+    app = django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'})
+    return app


@pytest.fixture
--- a/tests/test_nanterre.py
+++ b/tests/test_nanterre.py
@ -68,7 +68,7 @@ def test_person_search_api(app, db, rsu):
    assert any(data['id'] == rsu[0].id for data in response.json['data'])


-def test_create_individu(settings, transactional_db, app, rsu_schema):
+def test_create_individu(settings, transactional_db, app, app_noauth, rsu_schema):

    def get_reseau(identifier):
        reseau_url = reverse('rsu-api-reseau', kwargs={
@ -792,7 +792,7 @@ def test_create_individu(settings, transactional_db, app, rsu_schema):

    # test obtention de clés de fédération
    def get_federation(uuid, **kwargs):
-        return app.get('/rsu/individu/%s/federation/technocarte/' % uuid, **kwargs).json
+        return app_noauth.get('/rsu/individu/%s/federation/technocarte/' % uuid, **kwargs).json
    first = Entity.objects.get(id=first_id)
    first.content['cles_de_federation']['authentic'] = 'abcd'
    first.save()
--- a/zoo/settings.py
+++ b/zoo/settings.py
@ -187,8 +187,11 @@ LOGGING = {
 # Rest Framework
 REST_FRAMEWORK = {
    # 'EXCEPTION_HANDLER': 'zoo.utils.rest_exception_handler',
-    'DEFAULT_AUTHENTICATION_CLASSES': (),
-    'DEFAULT_PERMISSION_CLASSES': (),
+    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'rest_framework.authentication.BasicAuthentication',
+        'rest_framework.authentication.SessionAuthentication',
+    ),
+    'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAdminUser',),
 }

 ZOO_NANTERRE_APPLICATIONS = {
--- a/zoo/zoo_nanterre/api_views.py
+++ b/zoo/zoo_nanterre/api_views.py
@ -1464,6 +1464,8 @@ suppression_individu = SuppressionIndividu.as_view()


 class Federation(IndividuViewMixin, APIView):
+    permission_classes = ()
+
    def get(self, request, identifier, application, format=None):
        app_dfn = utils.get_application(application)
        if not app_dfn: