api: restrict API to authenticated admin users (fixes #31828)
It pays attention to custom authentication on the get federation endpoint based on apikeys defined in settings, this endpoint has no permission at all.
This commit is contained in:
parent
c05abeb6d3
commit
6d72fb60b1
|
@ -277,11 +277,22 @@ def admin(db):
|
|||
|
||||
|
||||
@pytest.fixture
|
||||
def app(request):
|
||||
def app(request, admin):
|
||||
wtm = django_webtest.WebTestMixin()
|
||||
wtm._patch_settings()
|
||||
request.addfinalizer(wtm._unpatch_settings)
|
||||
return django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'})
|
||||
app = django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'})
|
||||
app.authorization = ('Basic', ('admin', 'admin'))
|
||||
return app
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def app_noauth(request, admin):
|
||||
wtm = django_webtest.WebTestMixin()
|
||||
wtm._patch_settings()
|
||||
request.addfinalizer(wtm._unpatch_settings)
|
||||
app = django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'})
|
||||
return app
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
|
|
|
@ -68,7 +68,7 @@ def test_person_search_api(app, db, rsu):
|
|||
assert any(data['id'] == rsu[0].id for data in response.json['data'])
|
||||
|
||||
|
||||
def test_create_individu(settings, transactional_db, app, rsu_schema):
|
||||
def test_create_individu(settings, transactional_db, app, app_noauth, rsu_schema):
|
||||
|
||||
def get_reseau(identifier):
|
||||
reseau_url = reverse('rsu-api-reseau', kwargs={
|
||||
|
@ -792,7 +792,7 @@ def test_create_individu(settings, transactional_db, app, rsu_schema):
|
|||
|
||||
# test obtention de clés de fédération
|
||||
def get_federation(uuid, **kwargs):
|
||||
return app.get('/rsu/individu/%s/federation/technocarte/' % uuid, **kwargs).json
|
||||
return app_noauth.get('/rsu/individu/%s/federation/technocarte/' % uuid, **kwargs).json
|
||||
first = Entity.objects.get(id=first_id)
|
||||
first.content['cles_de_federation']['authentic'] = 'abcd'
|
||||
first.save()
|
||||
|
|
|
@ -187,8 +187,11 @@ LOGGING = {
|
|||
# Rest Framework
|
||||
REST_FRAMEWORK = {
|
||||
# 'EXCEPTION_HANDLER': 'zoo.utils.rest_exception_handler',
|
||||
'DEFAULT_AUTHENTICATION_CLASSES': (),
|
||||
'DEFAULT_PERMISSION_CLASSES': (),
|
||||
'DEFAULT_AUTHENTICATION_CLASSES': (
|
||||
'rest_framework.authentication.BasicAuthentication',
|
||||
'rest_framework.authentication.SessionAuthentication',
|
||||
),
|
||||
'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAdminUser',),
|
||||
}
|
||||
|
||||
ZOO_NANTERRE_APPLICATIONS = {
|
||||
|
|
|
@ -1464,6 +1464,8 @@ suppression_individu = SuppressionIndividu.as_view()
|
|||
|
||||
|
||||
class Federation(IndividuViewMixin, APIView):
|
||||
permission_classes = ()
|
||||
|
||||
def get(self, request, identifier, application, format=None):
|
||||
app_dfn = utils.get_application(application)
|
||||
if not app_dfn:
|
||||
|
|
Loading…
Reference in New Issue