From b39aa0285b7818a321d5430c44969e83e67d7c23 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Thu, 28 Mar 2019 17:06:48 +0100 Subject: [PATCH] api: restrict API to authenticated admin users (fixes #31828) --- tests/conftest.py | 6 ++++-- zoo/settings.py | 7 +++++-- zoo/zoo_nanterre/api_views.py | 2 ++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index 7d4de6d..6a181e3 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -277,11 +277,13 @@ def admin(db): @pytest.fixture -def app(request): +def app(request, admin): wtm = django_webtest.WebTestMixin() wtm._patch_settings() request.addfinalizer(wtm._unpatch_settings) - return django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'}) + app = django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'}) + app.authorization = ('Basic', ('admin', 'admin')) + return app @pytest.fixture diff --git a/zoo/settings.py b/zoo/settings.py index aa2bab6..bd4486a 100644 --- a/zoo/settings.py +++ b/zoo/settings.py @@ -187,8 +187,11 @@ LOGGING = { # Rest Framework REST_FRAMEWORK = { # 'EXCEPTION_HANDLER': 'zoo.utils.rest_exception_handler', - 'DEFAULT_AUTHENTICATION_CLASSES': (), - 'DEFAULT_PERMISSION_CLASSES': (), + 'DEFAULT_AUTHENTICATION_CLASSES': ( + 'rest_framework.authentication.BasicAuthentication', + 'rest_framework.authentication.SessionAuthentication', + ), + 'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAdminUser',), } ZOO_NANTERRE_APPLICATIONS = { diff --git a/zoo/zoo_nanterre/api_views.py b/zoo/zoo_nanterre/api_views.py index 9a4673d..5e3a8a9 100644 --- a/zoo/zoo_nanterre/api_views.py +++ b/zoo/zoo_nanterre/api_views.py @@ -1464,6 +1464,8 @@ suppression_individu = SuppressionIndividu.as_view() class Federation(IndividuViewMixin, APIView): + permission_classes = () + def get(self, request, identifier, application, format=None): app_dfn = utils.get_application(application) if not app_dfn: -- 2.20.1