Merge pull request #2269 from IFRCGo/fix/permission-issue-ops

Fix Guest user permission issue in operational learning api
IFRCGo · Sep 18, 2024 · 7b46711 · 7b46711
2 parents ed657d4 + 0124074
commit 7b46711
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/api/test_views.py b/api/test_views.py
@@ -53,6 +53,8 @@ def test_guest_user_permission(self):
             "/api/v2/language/",
             f"/api/v2/language/{id}/",
             "/api/v2/event/",
+            "/api/v2/ops-learning/",
+            f"/api/v2/ops-learning/{id}/",
         ]
 
         go_post_apis = [
@@ -73,6 +75,7 @@ def test_guest_user_permission(self):
             "/api/v2/per-file/multiple/",
             "/api/v2/per-prioritization/",
             "/api/v2/per-work-plan/",
+            "/api/v2/ops-learning/",
             "/api/v2/project/",
             "/api/v2/dref-files/",
             "/api/v2/dref-files/multiple/",
@@ -98,8 +101,6 @@ def test_guest_user_permission(self):
             f"/api/v2/flash-update/{id}/",
             "/api/v2/local-units/",
             f"/api/v2/local-units/{id}/",
-            "/api/v2/ops-learning/",
-            f"/api/v2/ops-learning/{id}/",
             f"/api/v2/pdf-export/{id}/",
             "/api/v2/per-assessment/",
             f"/api/v2/per-assessment/{id}/",
@@ -138,7 +139,6 @@ def test_guest_user_permission(self):
         ]
 
         go_post_apis_req_additional_perm = [
-            "/api/v2/ops-learning/",
             "/api/v2/per-overview/",
             f"/api/v2/user/{id}/accepted_license_terms/",
         ]
@@ -167,6 +167,14 @@ def _failure_check(response, check_json_error_code=True):
         _success_check(event_pub_response)
         self.assertEqual(len(event_pub_response.json()["results"]), 1)
 
+        # Unauthenticated user should be able to view operational learning
+        ops_learning_response = self.client.get("/api/v2/ops-learning/")
+        _success_check(ops_learning_response)
+
+        # Unauthenticated user should not be able to do post operations in operational learning
+        ops_learning_response = self.client.post("/api/v2/ops-learning/", json=body)
+        _failure_check(ops_learning_response, check_json_error_code=False)
+
         # authenticate guest user
         self.authenticate(user=self.guest_user)
 

diff --git a/per/drf_views.py b/per/drf_views.py
@@ -19,7 +19,7 @@
 
 from api.models import Country
 from deployments.models import SectorTag
-from main.permissions import DenyGuestUserPermission
+from main.permissions import DenyGuestUserMutationPermission, DenyGuestUserPermission
 from main.utils import SpreadSheetContentNegotiation
 from per.filter_set import (
     PerDocumentFilter,
@@ -708,7 +708,7 @@ class OpsLearningViewset(viewsets.ModelViewSet):
     """
 
     queryset = OpsLearning.objects.all()
-    permission_classes = [DenyGuestUserPermission, OpsLearningPermission]
+    permission_classes = [DenyGuestUserMutationPermission, OpsLearningPermission]
     filterset_class = OpsLearningFilter
     search_fields = (
         "learning",