refactor: modify REST API endpoints for LR MFE #1760
Conversation
MaxFrank13
force-pushed
the
mfrank/APER-1992
branch
4 times, most recently
from
ff92630 to
1b7da27
Compare
| Allows access if the requesting user is the owner of the record, a staff member, or a superuser. | ||
| """ | ||
|
|
||
| def has_permission(self, request, view): |
There was a problem hiding this comment.
How does this check if the requesting user is the owner of the record? I can see that it works in the unit tests, but I don't understand the mechanism.
There was a problem hiding this comment.
Oh nice catch! It actually doesn't. I need to change the documentation. I initially thought we'd allow the user to do this but now I'm under the impression that a learner/normal user should never need to use this username query parameter.
| programs = get_user_program_data( | ||
| searched_user, request.site, include_empty_programs=False, include_retired_programs=True | ||
| ) | ||
| else: | ||
| programs = get_user_program_data( | ||
| request.user.username, request.site, include_empty_programs=False, include_retired_programs=True |
There was a problem hiding this comment.
A couple of things...
-
I think the information we're passing to
get_user_program_datahere differs in yourifvs. yourelse. In theif, you are sending the entire User object toget_user_program_data. In yourelse, you are sending just the username. Which should it be? -
I think we want to code a bit more defensively. I think this code has a chance to throw an exception and maybe not return any data back to the caller. It's not guaranteed a user will exist with the username passed in to the API call. A call to
{Model}.objects.get(blah=blah)will throw aDoesNotExistexception if the object doesn't exist. We will likely want to do something like...
username = request.user.username
query_param_username = request.query_params.get("username", "")
if query_param_username:
try:
other_user = User.objects.get(username=query_param_username)
except User.DoesNotExist:
# Log something here
return Response({"enrolled_programs": []}) # empty list, string, dictionary, whatever we would pass back when there is no data
else:
(else section only executes if the "try" didn't throw an exception)
username = other_user.username
programs = get_user_program_data(
username, request.site, include_empty_programs=False, include_retired_programs=True
)
This way we also cut down on code duplication of the call to get_user_program_data.
There was a problem hiding this comment.
I had a feeling there may be a better way to do this. Thanks for the example!
There was a problem hiding this comment.
An interesting note about the first question you had: It is supposed to be a username, however, it was still working by passing in the User. Is this some Django magic perhaps?
MaxFrank13
force-pushed
the
mfrank/APER-1992
branch
from
1b7da27 to
ffb09ea
Compare
MaxFrank13
force-pushed
the
mfrank/APER-1992
branch
2 times, most recently
from
54679b9 to
cad54de
Compare
MaxFrank13
force-pushed
the
mfrank/APER-1992
branch
from
cad54de to
35f1392
Compare
This is a PR to modify the existing REST API endpoints used by the LR MFE. This modification adds a
usernamequery param that is employed the the Support Tools MFE to fetch the same data learners see.Custom permissions classes were necessary here to block access from unauthorized users. We needed to ensure that learners (or other non-staff, non-superusers) couldn't view the records of others.
Here is a truth table that attempts to illustrate how access is handled with the addition of this query parameter.