require authentication to get dispatch objects via API

7 months ago · 0ea54a5ee2
parent ffcdc3f8d8
commit 0ea54a5ee2
3 changed files with 25 additions and 2 deletions
--- a/dispatch/urls.py
+++ b/dispatch/urls.py
@ -12,5 +12,5 @@ urlpatterns = [
    path('api/dispatchers/<key>/message', DispatchMessageByKey.as_view(), name='dispatch_api_dispatch_message'),

    path('api/actions/', DispatcherActionList.as_view(), name='dispatch_api_actions'),
-    path('api/actions/<pk>/', DispatcherActionDetail.as_view(), name='dispatch_api_action_detail'),
+    path('api/actions/<int:pk>/', DispatcherActionDetail.as_view(), name='dispatch_api_action_detail'),
 ]
--- a/dispatch/views.py
+++ b/dispatch/views.py
@ -28,6 +28,8 @@ class HasSendMessagePermission(IsAuthenticated):
 class DispatcherList(generics.ListAPIView):
    """List all dispatchers."""

+    permission_classes = (IsAuthenticated,)
+
    queryset = Dispatcher.objects.all()
    serializer_class = DispatcherSerializer

@ -35,6 +37,8 @@ class DispatcherList(generics.ListAPIView):
 class DispatcherDetail(generics.RetrieveAPIView):
    """Detail the given dispatcher."""

+    permission_classes = (IsAuthenticated,)
+
    queryset = Dispatcher.objects.all()
    serializer_class = DispatcherSerializer

@ -107,6 +111,8 @@ class DispatchMessageByKey(DispatchMessage):
 class DispatcherActionList(generics.ListAPIView):
    """List all dispatchers."""

+    permission_classes = (IsAuthenticated,)
+
    queryset = DispatcherAction.objects.all()
    serializer_class = DispatcherActionSerializer

@ -114,5 +120,7 @@ class DispatcherActionList(generics.ListAPIView):
 class DispatcherActionDetail(generics.RetrieveAPIView):
    """Detail the given dispatcher."""

+    permission_classes = (IsAuthenticated,)
+
    queryset = DispatcherAction.objects.all()
    serializer_class = DispatcherActionSerializer
--- a/tests/test_dispatch_api.py
+++ b/tests/test_dispatch_api.py
@ -1,6 +1,6 @@
 """Test the dispatch package's webservice."""
 from django.contrib.auth.models import User
-from rest_framework.status import HTTP_200_OK
+from rest_framework.status import HTTP_200_OK, HTTP_403_FORBIDDEN
 from rest_framework.test import APITestCase

 from dispatch.models import Dispatcher, DispatcherAction
@ -27,3 +27,18 @@ class DispatchAPITest(APITestCase):
        resp = self.client.get('/dispatch/api/actions/')
        self.assertEqual(resp.status_code, HTTP_200_OK)
        self.assertEqual(len(resp.json()), DispatcherAction.objects.count())
+
+    def test_unauthed_dispatch_object_retrieval(self):
+        """Test that the list endpoints require authentication."""
+        client = self.client_class()
+        resp = client.get('/dispatch/api/dispatchers/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)
+        resp = client.get('/dispatch/api/dispatchers/111/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)
+        resp = client.get('/dispatch/api/dispatchers/fake/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)
+
+        resp = client.get('/dispatch/api/actions/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)
+        resp = client.get('/dispatch/api/actions/111/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)