Skip to content

Commit

Permalink
Test: GET on a specific public dataview always returns 200.
Browse files Browse the repository at this point in the history 
- A GET request for *all* dataviews for unauthenticated users returns a 404.
- A GET request for *all* dataviews for authenticated users checks whether they
have the required permissions.
- A GET request for *a specific* public dataview *always* returns a 200.
- A GET request for *a specific* private dataview from unauthenticated users should
return a 404 but from authenticated users should check whether they have the
required permissions.

Signed-off-by: Njagi Mwaniki <[email protected]>
  • Loading branch information
@urbanslug
urbanslug committed Feb 14, 2017
1 parent c304954 commit a4d469b
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 4 deletions.
8 changes: 4 additions & 4 deletions onadata/apps/api/permissions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,10 +236,10 @@ class DataViewViewsetPermissions(AlternateHasObjectPermissionMixin,
model_classes = [Project]

def has_permission(self, request, view):
if request.user.is_anonymous() and view.action == 'list':
return False
else:
return True
# To allow individual public dataviews to be visible on
# `api/v1/dataviews/<pk>` but stop retreival of all dataviews when
# the dataviews endpoint is queried `api/v1/dataviews`
return not (request.user.is_anonymous() and view.action == 'list')

def has_object_permission(self, request, view, obj):
model_cls = Project
Expand Down
20 changes: 20 additions & 0 deletions onadata/apps/api/tests/viewsets/test_dataview_viewset.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,22 @@ def test_get_dataview(self):
self.assertEquals(response.data['last_submission_time'],
'2015-03-09T13:34:05')

# Public
self.project.shared = True
self.project.save()

anon_request = self.factory.get('/')
anon_response = self.view(anon_request, pk=self.data_view.pk)
self.assertEquals(anon_response.status_code, 200)

# Private
self.project.shared = False
self.project.save()

anon_request = self.factory.get('/')
anon_response = self.view(anon_request, pk=self.data_view.pk)
self.assertEquals(anon_response.status_code, 404)

def test_update_dataview(self):
self._create_dataview()

Expand Down Expand Up @@ -252,6 +268,10 @@ def test_list_dataview(self):
self.assertEquals(response.status_code, 200)
self.assertEquals(len(response.data), 2)

anon_request = request = self.factory.get('/')
anon_response = view(anon_request)
self.assertEquals(anon_response.status_code, 401)

def test_get_dataview_no_perms(self):
self._create_dataview()

Expand Down

0 comments on commit a4d469b

Please sign in to comment.