From 33e0327c62d435501652b4fee156a7261ad87ed0 Mon Sep 17 00:00:00 2001
From: Serghei Mihai <smihai@entrouvert.com>
Date: Fri, 28 Oct 2016 11:11:49 +0200
Subject: [PATCH] api: fix access permissions (#13785)

---
 corbo/api_views.py |  3 +++
 tests/test_api.py  | 35 ++++++++++++++++++++++++++---------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/corbo/api_views.py b/corbo/api_views.py
index 9a5e562..0ec0b5a 100644
--- a/corbo/api_views.py
+++ b/corbo/api_views.py
@@ -23,11 +23,13 @@ from django.db import transaction
 
 from rest_framework.views import APIView
 from rest_framework.response import Response
+from rest_framework import permissions
 
 from .models import Category, Subscription, channel_choices
 
 
 class NewslettersView(APIView):
+    permission_classes = (permissions.IsAuthenticated,)
 
     def get(self, request):
         newsletters = []
@@ -40,6 +42,7 @@ class NewslettersView(APIView):
 
 
 class SubscriptionsView(APIView):
+    permission_classes = (permissions.IsAuthenticated,)
 
     def get_subscriptions(self, email, uuid=None):
         subscriptions = defaultdict(dict)
diff --git a/tests/test_api.py b/tests/test_api.py
index 9b4d7b7..c6bb505 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -5,6 +5,7 @@ from uuid import uuid4
 
 from django.core.urlresolvers import reverse
 from django.utils.http import urlencode
+from django.contrib.auth import get_user_model
 
 from corbo.models import Category, Announce, Broadcast, Subscription
 from corbo.models import channel_choices
@@ -34,9 +35,20 @@ def announces():
         announces.append(a)
     return announces
 
-
-def test_get_newsletters(app, categories, announces):
-    resp = app.get(reverse('newsletters'), status=200)
+@pytest.fixture
+def user():
+    User = get_user_model()
+    user = User.objects.create(username='john.doe',
+            first_name=u'John', last_name=u'Doe', email='john.doe@example.net')
+    user.set_password('password')
+    user.save()
+    return user
+
+
+def test_get_newsletters(app, categories, announces, user):
+    resp = app.get(reverse('newsletters'), status=403)
+    app.authorization = ('Basic', ('john.doe', 'password'))
+    resp = app.get(reverse('newsletters'))
     data = resp.json
     assert data['data']
     for category in data['data']:
@@ -47,15 +59,17 @@ def test_get_newsletters(app, categories, announces):
         assert category['transports'] == [{'id': 'mailto', 'text': 'Email'}]
 
 
-def test_get_subscriptions_by_email(app, categories, announces):
+def test_get_subscriptions_by_email(app, categories, announces, user):
     resp = app.get(reverse('subscriptions'), status=403)
     foo = 'foo@example.com'
+    resp = app.get(reverse('subscriptions'), {'email': foo}, status=403)
+    app.authorization = ('Basic', ('john.doe', 'password'))
     for identifier, name in channel_choices[:1]:
         for category in categories:
             uri = '%s:%s' % (identifier, foo)
             subscription = Subscription.objects.create(identifier=uri,
                                 category=category)
-            resp = app.get(reverse('subscriptions'), {'email': foo}, status=200)
+            resp = app.get(reverse('subscriptions'), {'email': foo})
             assert 'data' in resp.json
             data = resp.json['data']
             for d in data:
@@ -65,9 +79,10 @@ def test_get_subscriptions_by_email(app, categories, announces):
                     assert t['id'] == identifier
 
 
-def test_update_subscriptions(app, categories, announces):
+def test_update_subscriptions(app, categories, announces, user):
     params = urlencode({'email': 'foo@example.com',
                         'uuid': str(uuid4())})
+    app.authorization = ('Basic', ('john.doe', 'password'))
     subscriptions_url = reverse('subscriptions') + '?' + params
     for category in categories:
         transports = []
@@ -79,7 +94,7 @@ def test_update_subscriptions(app, categories, announces):
                               'transports': transports}]
             resp = app.post_json(subscriptions_url , subscriptions)
             if resp.json['data']:
-                resp = app.get(subscriptions_url, status=200)
+                resp = app.get(subscriptions_url)
                 print resp.json['data']
                 for cat in resp.json['data']:
                     if cat['id'] == category_id:
@@ -87,10 +102,12 @@ def test_update_subscriptions(app, categories, announces):
                         assert sub_transports == transports
 
 
-def test_delete_subscriptions(app, categories, announces):
+def test_delete_subscriptions(app, categories, announces, user):
     params = urlencode({'email': 'foo@example.com', 'uuid': str(uuid4())})
     subscriptions_url = reverse('subscriptions') + '?' + params
+    resp = app.delete(subscriptions_url, status=403)
+    app.authorization = ('Basic', ('john.doe', 'password'))
     resp = app.delete(subscriptions_url)
     if resp.json['data']:
-        resp = app.get(subscriptions_url, status=200)
+        resp = app.get(subscriptions_url)
         assert resp.json['data'] == []
-- 
2.10.1