Skip to content

Commit

Permalink
🛂(backend) use playlist token in deposit apis
Browse files Browse the repository at this point in the history
As we are now using playlist tokens, it has to be allowed on apis.
  • Loading branch information
kernicPanel committed Aug 22, 2023
1 parent 011c4ab commit af3889b
Show file tree
Hide file tree
Showing 14 changed files with 52 additions and 44 deletions.
6 changes: 3 additions & 3 deletions src/backend/marsha/deposit/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ def get_permissions(self):
]
elif self.action in ["retrieve"]:
permission_classes = [
core_permissions.IsTokenResourceRouteObject
core_permissions.IsPlaylistToken
& (
core_permissions.IsTokenInstructor
| core_permissions.IsTokenAdmin
Expand All @@ -118,7 +118,7 @@ def get_permissions(self):
elif self.action in ["update", "partial_update", "destroy"]:
permission_classes = [
(
core_permissions.IsTokenResourceRouteObject
core_permissions.IsPlaylistToken
& (
core_permissions.IsTokenInstructor
| core_permissions.IsTokenAdmin
Expand Down Expand Up @@ -243,7 +243,7 @@ def get_permissions(self):
| core_permissions.IsTokenStudent
| core_permissions.UserIsAuthenticated
]
elif self.action in ["create", "list", "metadata"]:
elif self.action in ["list", "metadata"]:
permission_classes = [
core_permissions.IsTokenInstructor
| core_permissions.IsTokenAdmin
Expand Down
13 changes: 5 additions & 8 deletions src/backend/marsha/deposit/permissions.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
"""Custom permission classes for the Deposit app."""
from django.core.exceptions import ObjectDoesNotExist

from rest_framework import permissions

from marsha.core import models
from marsha.deposit.models import FileDepository


def _is_organization_admin(user_id, file_depository_id):
Expand Down Expand Up @@ -59,12 +58,10 @@ def has_permission(self, request, view):
"""
if not request.resource:
return False
try:
return (
str(view.get_related_object().file_depository.id) == request.resource.id
)
except ObjectDoesNotExist:
return False

return FileDepository.objects.filter(
pk=view.get_related_filedepository_id(), playlist_id=request.resource.id
).exists()


class IsFileDepositoryPlaylistOrOrganizationAdmin(permissions.BasePermission):
Expand Down
7 changes: 2 additions & 5 deletions src/backend/marsha/deposit/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -83,13 +83,10 @@ def create(self, validated_data):
"""
resource = self.context["request"].resource
user = self.context["request"].user
file_depository_id = self.context["request"].data.get("file_depository_id")
file_depository_id = self.context["view"].get_related_filedepository_id()

if not validated_data.get("file_depository_id"):
if resource:
validated_data["file_depository_id"] = resource.id
elif file_depository_id:
validated_data["file_depository_id"] = file_depository_id
validated_data["file_depository_id"] = file_depository_id

if resource:
validated_data["author_id"] = resource.user.get("id")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ def test_api_deposited_file_create_student_with_user_fullname(self):
"""

file_depository = FileDepositoryFactory()
jwt_token = StudentLtiTokenFactory(resource=file_depository)
jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)

response = self.client.post(
f"/api/filedepositories/{file_depository.id}/depositedfiles/",
Expand Down Expand Up @@ -89,7 +89,9 @@ def test_api_deposited_file_create_student_with_username(self):

file_depository = FileDepositoryFactory()
jwt_token = StudentLtiTokenFactory(
resource=file_depository, user__user_fullname=None, user__username="student"
resource=file_depository.playlist,
user__user_fullname=None,
user__username="student",
)

response = self.client.post(
Expand Down Expand Up @@ -121,7 +123,9 @@ def test_api_deposited_file_create_student_without_username(self):

file_depository = FileDepositoryFactory()
jwt_token = StudentLtiTokenFactory(
resource=file_depository, user__user_fullname=None, user__username=None
resource=file_depository.playlist,
user__user_fullname=None,
user__username=None,
)

response = self.client.post(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@ class DepositedFileDeleteAPITest(TestCase):
def test_api_deposited_file_delete_student(self):
"""A student user should not be able to delete a deposited_file."""
deposited_file = DepositedFileFactory()
jwt_token = StudentLtiTokenFactory(resource=deposited_file.file_depository)
jwt_token = StudentLtiTokenFactory(
resource=deposited_file.file_depository.playlist
)

self.assertEqual(DepositedFile.objects.count(), 1)
response = self.client.delete(
Expand All @@ -45,7 +47,7 @@ def test_api_deposited_file_delete_instructor(self):
"""An instructor should be able to delete a deposited_file."""
deposited_file = DepositedFileFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(
resource=deposited_file.file_depository
resource=deposited_file.file_depository.playlist
)

self.assertEqual(DepositedFile.objects.count(), 1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,9 @@ def test_api_deposited_file_initiate_upload_student(self):
upload_state=random.choice(["ready", "error"]),
file_depository__id="ed08da34-7447-4141-96ff-5740315d7b99",
)
jwt_token = StudentLtiTokenFactory(resource=deposited_file.file_depository)
jwt_token = StudentLtiTokenFactory(
resource=deposited_file.file_depository.playlist
)

now = datetime(2018, 8, 8, tzinfo=baseTimezone.utc)
with mock.patch.object(timezone, "now", return_value=now), mock.patch(
Expand Down Expand Up @@ -106,7 +108,9 @@ def test_api_deposited_file_initiate_upload_file_without_size(self):
upload_state=random.choice(["ready", "error"]),
file_depository__id="ed08da34-7447-4141-96ff-5740315d7b99",
)
jwt_token = StudentLtiTokenFactory(resource=deposited_file.file_depository)
jwt_token = StudentLtiTokenFactory(
resource=deposited_file.file_depository.playlist
)

now = datetime(2018, 8, 8, tzinfo=baseTimezone.utc)
with mock.patch.object(timezone, "now", return_value=now), mock.patch(
Expand Down Expand Up @@ -134,7 +138,9 @@ def test_api_deposited_file_initiate_upload_file_too_large(self):
upload_state=random.choice(["ready", "error"]),
file_depository__id="ed08da34-7447-4141-96ff-5740315d7b99",
)
jwt_token = StudentLtiTokenFactory(resource=deposited_file.file_depository)
jwt_token = StudentLtiTokenFactory(
resource=deposited_file.file_depository.playlist
)

now = datetime(2018, 8, 8, tzinfo=baseTimezone.utc)
with mock.patch.object(timezone, "now", return_value=now), mock.patch(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,9 @@ def setUpClass(cls):
def test_api_deposited_file_update_student(self):
"""A student user should not be able to update a deposited_file."""
deposited_file = DepositedFileFactory()
jwt_token = StudentLtiTokenFactory(resource=deposited_file.file_depository)
jwt_token = StudentLtiTokenFactory(
resource=deposited_file.file_depository.playlist
)
data = {"read": True}

response = self.client.patch(
Expand All @@ -54,7 +56,7 @@ def test_api_deposited_file_update_instructor(self):
"""An instructor should be able to update a deposited_file."""
deposited_file = DepositedFileFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(
resource=deposited_file.file_depository
resource=deposited_file.file_depository.playlist
)
data = {"read": True}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ def test_api_file_depository_create_student_with_playlist_token(self):
def test_api_file_depository_create_instructor(self):
"""An instructor without playlist token should not be able to create a file_depository."""
file_depository = FileDepositoryFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)

response = self.client.post(
"/api/filedepositories/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ def test_api_file_depository_delete_user_logged_in(self):
def test_api_file_depository_delete_student(self):
"""A student user should not be able to delete a file_depository."""
file_depository = FileDepositoryFactory()
jwt_token = StudentLtiTokenFactory(resource=file_depository)
jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)

self.assertEqual(FileDepository.objects.count(), 1)
response = self.client.delete(
Expand All @@ -69,7 +69,7 @@ def test_api_file_depository_delete_instructor_read_only(self):
"""An instructor should not be able to delete a file_depository in read_only."""
file_depository = FileDepositoryFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(
resource=file_depository,
resource=file_depository.playlist,
permissions__can_update=False,
)

Expand All @@ -85,7 +85,7 @@ def test_api_file_depository_delete_instructor_read_only(self):
def test_api_file_depository_delete_instructor(self):
"""An instructor should be able to delete a file_depository."""
file_depository = FileDepositoryFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)

self.assertEqual(FileDepository.objects.count(), 1)
response = self.client.delete(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ def test_api_file_depository_list_deposited_files_student(self):
DepositedFileFactory.create_batch(3, file_depository=file_depository)
owned_deposited_file = DepositedFileFactory(file_depository=file_depository)
jwt_token = StudentLtiTokenFactory(
resource=file_depository,
resource=file_depository.playlist,
permissions__can_update=True,
user__id=owned_deposited_file.author_id,
user__full_username=owned_deposited_file.author_name,
Expand Down Expand Up @@ -90,7 +90,7 @@ def test_api_file_depository_list_deposited_files_instructor(self):
deposited_files = DepositedFileFactory.create_batch(
3, file_depository=file_depository
)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)

response = self.client.get(
f"/api/filedepositories/{file_depository.id}/depositedfiles/?limit=2",
Expand Down Expand Up @@ -140,7 +140,7 @@ def test_api_file_depository_list_deposited_files_instructor_filtered(self):
deposited_files_new = DepositedFileFactory.create_batch(
2, file_depository=file_depository
)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)

response = self.client.get(
f"/api/filedepositories/{file_depository.id}/depositedfiles/?limit=10",
Expand Down Expand Up @@ -291,7 +291,7 @@ def test_api_file_depository_list_deposited_files_instructor_signed_urls(self):
deposited_files = DepositedFileFactory.create_batch(
3, file_depository=file_depository, uploaded_on=now
)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)

now = datetime(2021, 11, 30, tzinfo=baseTimezone.utc)
with mock.patch.object(timezone, "now", return_value=now), mock.patch(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ def test_api_file_depository_fetch_list_student(self):
"""A student should not be able to fetch a list of file_depository."""
file_depository = FileDepositoryFactory()
jwt_token = StudentLtiTokenFactory(
resource=file_depository,
resource=file_depository.playlist,
permissions__can_update=True,
)

Expand All @@ -55,7 +55,7 @@ def test_api_file_depository_fetch_list_student(self):
def test_api_file_depository_fetch_list_instructor(self):
"""An instructor should not be able to fetch a file_depository list."""
file_depository = FileDepositoryFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)

response = self.client.get(
"/api/filedepositories/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ def setUpClass(cls):
def test_api_file_depository_fetch_student(self):
"""A student should be allowed to fetch a file_depository."""
file_depository = FileDepositoryFactory()
jwt_token = StudentLtiTokenFactory(resource=file_depository)
jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)

response = self.client.get(
f"/api/filedepositories/{file_depository.id!s}/",
Expand Down Expand Up @@ -68,7 +68,7 @@ def test_api_file_depository_fetch_from_other_file_depository(self):
"""
file_depository = FileDepositoryFactory()
other_file_depository = FileDepositoryFactory()
jwt_token = StudentLtiTokenFactory(resource=other_file_depository)
jwt_token = StudentLtiTokenFactory(resource=other_file_depository.playlist)

response = self.client.get(
f"/api/filedepositories/{file_depository.id!s}/",
Expand All @@ -79,7 +79,7 @@ def test_api_file_depository_fetch_from_other_file_depository(self):
def test_api_file_depository_fetch_instructor(self):
"""An instructor should be able to fetch a file_depository."""
file_depository = FileDepositoryFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)

response = self.client.get(
f"/api/filedepositories/{file_depository.id!s}/",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ def test_api_file_depository_update_user_logged_in(self):
def test_api_file_depository_update_student(self):
"""A student user should not be able to update a file_depository."""
file_depository = FileDepositoryFactory()
jwt_token = StudentLtiTokenFactory(resource=file_depository)
jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)
data = {"title": "new title"}

response = self.client.patch(
Expand All @@ -70,7 +70,7 @@ def test_api_file_depository_update_instructor_read_only(self):
"""An instructor should not be able to update a file_depository in read_only."""
file_depository = FileDepositoryFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(
resource=file_depository,
resource=file_depository.playlist,
permissions__can_update=False,
)
data = {"title": "new title"}
Expand All @@ -86,7 +86,7 @@ def test_api_file_depository_update_instructor_read_only(self):
def test_api_file_depository_update_instructor(self):
"""An instructor should be able to update a file_depository."""
file_depository = FileDepositoryFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
data = {"title": "new title", "description": "Hello"}

response = self.client.patch(
Expand Down
4 changes: 2 additions & 2 deletions src/backend/marsha/deposit/tests/api/test_options.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ def test_api_deposited_files_options_as_student(self):
"""A student can fetch the deposited files options endpoint"""

file_depository = FileDepositoryFactory()
jwt_token = StudentLtiTokenFactory(resource=file_depository)
jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)
response = self.client.options(
f"/api/filedepositories/{file_depository.id}/depositedfiles/",
HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
Expand All @@ -42,7 +42,7 @@ def test_api_deposited_files_options_instructor(self):
"""An instructor can fetch the deposited files options endpoint"""

file_depository = FileDepositoryFactory()
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)

response = self.client.options(
f"/api/filedepositories/{file_depository.id}/depositedfiles/",
Expand Down

0 comments on commit af3889b

Please sign in to comment.