From 07d23c20bd862e5b5b58f45b9efbccda7bde0e30 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Thu, 28 Mar 2019 17:06:48 +0100 Subject: [PATCH] api: restrict API to authenticated admin users (fixes #31828) It pays attention to custom authentication on the get federation endpoint based on apikeys defined in settings, this endpoint has no permission at all. --- tests/conftest.py | 15 +++++++++++++-- tests/test_nanterre.py | 4 ++-- zoo/settings.py | 7 +++++-- zoo/zoo_nanterre/api_views.py | 2 ++ 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index 7d4de6d..366784b 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -277,11 +277,22 @@ def admin(db): @pytest.fixture -def app(request): +def app(request, admin): wtm = django_webtest.WebTestMixin() wtm._patch_settings() request.addfinalizer(wtm._unpatch_settings) - return django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'}) + app = django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'}) + app.authorization = ('Basic', ('admin', 'admin')) + return app + + +@pytest.fixture +def app_noauth(request, admin): + wtm = django_webtest.WebTestMixin() + wtm._patch_settings() + request.addfinalizer(wtm._unpatch_settings) + app = django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': 'localhost'}) + return app @pytest.fixture diff --git a/tests/test_nanterre.py b/tests/test_nanterre.py index 2235298..79377d8 100644 --- a/tests/test_nanterre.py +++ b/tests/test_nanterre.py @@ -67,7 +67,7 @@ def test_person_search_api(app, db, rsu): assert any(data['id'] == rsu[0].id for data in response.json['data']) -def test_create_individu(settings, transactional_db, app, rsu_schema): +def test_create_individu(settings, transactional_db, app, app_noauth, rsu_schema): def get_reseau(identifier): reseau_url = reverse('rsu-api-reseau', kwargs={ @@ -791,7 +791,7 @@ def test_create_individu(settings, transactional_db, app, rsu_schema): # test obtention de clés de fédération def get_federation(uuid, **kwargs): - return app.get('/rsu/individu/%s/federation/technocarte/' % uuid, **kwargs).json + return app_noauth.get('/rsu/individu/%s/federation/technocarte/' % uuid, **kwargs).json first = Entity.objects.get(id=first_id) first.content['cles_de_federation']['authentic'] = 'abcd' first.save() diff --git a/zoo/settings.py b/zoo/settings.py index aa2bab6..bd4486a 100644 --- a/zoo/settings.py +++ b/zoo/settings.py @@ -187,8 +187,11 @@ LOGGING = { # Rest Framework REST_FRAMEWORK = { # 'EXCEPTION_HANDLER': 'zoo.utils.rest_exception_handler', - 'DEFAULT_AUTHENTICATION_CLASSES': (), - 'DEFAULT_PERMISSION_CLASSES': (), + 'DEFAULT_AUTHENTICATION_CLASSES': ( + 'rest_framework.authentication.BasicAuthentication', + 'rest_framework.authentication.SessionAuthentication', + ), + 'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAdminUser',), } ZOO_NANTERRE_APPLICATIONS = { diff --git a/zoo/zoo_nanterre/api_views.py b/zoo/zoo_nanterre/api_views.py index 9a4673d..5e3a8a9 100644 --- a/zoo/zoo_nanterre/api_views.py +++ b/zoo/zoo_nanterre/api_views.py @@ -1464,6 +1464,8 @@ suppression_individu = SuppressionIndividu.as_view() class Federation(IndividuViewMixin, APIView): + permission_classes = () + def get(self, request, identifier, application, format=None): app_dfn = utils.get_application(application) if not app_dfn: -- 2.20.1