require authentication to get dispatch objects via API

dispatch/urls.py

@@ -12,5 +12,5 @@ urlpatterns = [
     path('api/dispatchers/<key>/message', DispatchMessageByKey.as_view(), name='dispatch_api_dispatch_message'),
 
     path('api/actions/', DispatcherActionList.as_view(), name='dispatch_api_actions'),
-    path('api/actions/<pk>/', DispatcherActionDetail.as_view(), name='dispatch_api_action_detail'),
+    path('api/actions/<int:pk>/', DispatcherActionDetail.as_view(), name='dispatch_api_action_detail'),
 ]

dispatch/views.py

@@ -28,6 +28,8 @@ class HasSendMessagePermission(IsAuthenticated):
 class DispatcherList(generics.ListAPIView):
     """List all dispatchers."""
 
+    permission_classes = (IsAuthenticated,)
+
     queryset = Dispatcher.objects.all()
     serializer_class = DispatcherSerializer
 
@@ -35,6 +37,8 @@ class DispatcherList(generics.ListAPIView):
 class DispatcherDetail(generics.RetrieveAPIView):
     """Detail the given dispatcher."""
 
+    permission_classes = (IsAuthenticated,)
+
     queryset = Dispatcher.objects.all()
     serializer_class = DispatcherSerializer
 
@@ -107,6 +111,8 @@ class DispatchMessageByKey(DispatchMessage):
 class DispatcherActionList(generics.ListAPIView):
     """List all dispatchers."""
 
+    permission_classes = (IsAuthenticated,)
+
     queryset = DispatcherAction.objects.all()
     serializer_class = DispatcherActionSerializer
 
@@ -114,5 +120,7 @@ class DispatcherActionList(generics.ListAPIView):
 class DispatcherActionDetail(generics.RetrieveAPIView):
     """Detail the given dispatcher."""
 
+    permission_classes = (IsAuthenticated,)
+
     queryset = DispatcherAction.objects.all()
     serializer_class = DispatcherActionSerializer

tests/test_dispatch_api.py

@@ -1,6 +1,6 @@
 """Test the dispatch package's webservice."""
 from django.contrib.auth.models import User
-from rest_framework.status import HTTP_200_OK
+from rest_framework.status import HTTP_200_OK, HTTP_403_FORBIDDEN
 from rest_framework.test import APITestCase
 
 from dispatch.models import Dispatcher, DispatcherAction
@@ -27,3 +27,18 @@ class DispatchAPITest(APITestCase):
         resp = self.client.get('/dispatch/api/actions/')
         self.assertEqual(resp.status_code, HTTP_200_OK)
         self.assertEqual(len(resp.json()), DispatcherAction.objects.count())
+
+    def test_unauthed_dispatch_object_retrieval(self):
+        """Test that the list endpoints require authentication."""
+        client = self.client_class()
+        resp = client.get('/dispatch/api/dispatchers/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)
+        resp = client.get('/dispatch/api/dispatchers/111/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)
+        resp = client.get('/dispatch/api/dispatchers/fake/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)
+
+        resp = client.get('/dispatch/api/actions/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)
+        resp = client.get('/dispatch/api/actions/111/')
+        self.assertEqual(resp.status_code, HTTP_403_FORBIDDEN)