Restrict access to /instance and /api endpoints
This change restricts access to the /instance and /api URLs to staff users, and users with InstanceManagerPermission
.
JIRA tickets: Implements OC-1550
Screenshots:
Non-privileged users see Permission Denied for /api URLs:
Testing instructions:
- Set up an opencraft devstack according to instructions in README.
- Be sure to run
make migrate
, as this change introduces a new permission model. - Run automatic tests:
make test
- Set up users for manual tests:
make shell
In [1]: from django.contrib.auth.models import User
In [2]: beta = User.objects.create_user('beta', 'beta@example.com', 'beta')
In [3]: staff = User.objects.create_user('staff', 'staff@example.com', 'edx')
In [4]: staff.is_staff = True
In [5]: staff.save()
In [6]: superuser = User.objects.create_user('superuser', 'superuser@example.com', 'super')
In [7]: superuser.is_superuser = True
In [8]: superuser.save()
- With each user in [
beta
,staff
,superuser
]:- Visit http://localhost:5000, and click Login.
- beta should redirect to
/registration/
- staff, superuser should redirect to
/instance/
- beta should redirect to
- Visit http://localhost:5000/instance/:
- beta should redirect to
/registration/
- staff, superuser should redirect to
/instance/
- beta should redirect to
- Visit http://localhost:5000/api/
- beta user should get 403
- staff, superuser should get 200, and be able to navigate further
- Click 'Logout' in between each user.
- Should redirect to
/registration/
- Should redirect to
- Visit http://localhost:5000, and click Login.
Author notes and concerns:
-
make test_prospector
'spylint
tests were returning a number ofno-member
errors for inherited members of the newInstanceManagerPermission
andInstanceManagerPermissionManager
classes. Errors messages are visible in the initial CircleCI run.This appears to be a pylint-django bug, addressed by PR #74. I've suppressed the errors with commit efcbac2.
Reviewers