feat(AU-2283): Add authorization layer to bulk delete

openedx · Nov 22, 2024 · 0f6079c · 0f6079c
1 parent f5050c5
commit 0f6079c
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 5 deletions.
diff --git a/edxval/tests/test_views.py b/edxval/tests/test_views.py
@@ -8,7 +8,9 @@
 
 from ddt import data, ddt, unpack
 from django.urls import reverse
+from edx_rest_framework_extensions.permissions import IsStaff
 from rest_framework import status
+from rest_framework.permissions import IsAuthenticated
 
 from edxval.models import CourseVideo, EncodedVideo, Profile, TranscriptProviderType, Video, VideoTranscript
 from edxval.serializers import TranscriptSerializer
@@ -1164,12 +1166,29 @@ def setUp(self):
         Tests setup.
         """
         self.url = reverse('bulk-delete-video-transcript')
+        self.patcher = patch.object(IsAuthenticated, "has_permission", return_value=True)
+        self.patcher = patch.object(IsStaff, "has_permission", return_value=True)
+        self.patcher.start()
+
         self.video_1 = Video.objects.create(**constants.VIDEO_DICT_SIMPSONS)
         self.transcript_data_es = constants.VIDEO_TRANSCRIPT_SIMPSON_ES
         self.transcript_data_ko = constants.VIDEO_TRANSCRIPT_SIMPSON_KO
         self.transcript_data_ru = constants.VIDEO_TRANSCRIPT_SIMPSON_RU
         super().setUp()
 
+    def tearDown(self):
+        self.patcher.stop()
+
+    def test_transcript_bulk_delete_fail_authorized(self):
+        with patch.object(IsAuthenticated, "has_permission", return_value=False):
+            response = self.client.post(self.url, {}, format="json")
+            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_transcript_bulk_delete_fail_no_staff(self):
+        with patch.object(IsStaff, "has_permission", return_value=False):
+            response = self.client.post(self.url, {}, format="json")
+            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
     @data(
         (
             {
@@ -1195,7 +1214,7 @@ def test_transcript_bulk_delete_handler_wrong_payload_missing_transcript_for_vid
             provider=self.transcript_data_es['provider'],
         )
         response = self.client.post(self.url, data=json.dumps(request_payload), content_type='application/json')
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         self.assertEqual(json.loads(response.content.decode('utf-8'))['message'], expected_error_message)
 
     @data(
@@ -1218,7 +1237,7 @@ def test_transcript_bulk_delete_handler_wrong_payload_missing_transcript_for_vid
         Tests the transcript upload handler when the required attributes are missing.
         """
         response = self.client.post(self.url, data=json.dumps(request_payload), content_type='application/json')
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         self.assertEqual(json.loads(response.content.decode('utf-8'))['message'], expected_error_message)
 
     @data(
@@ -1235,7 +1254,7 @@ def test_transcript_bulk_delete_handler_wrong_payload_not_a_list(self, request_p
         Tests the transcript upload handler when the required attributes are missing.
         """
         response = self.client.post(self.url, data=json.dumps(request_payload), content_type='application/json')
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         self.assertEqual(json.loads(response.content.decode('utf-8'))['message'], expected_error_message)
 
     @data(
@@ -1270,5 +1289,5 @@ def test_transcript_bulk_delete_handler_success(self, request_payload, expected_
             provider=self.transcript_data_ru['provider'],
         )
         response = self.client.post(self.url, data=json.dumps(request_payload), content_type='application/json')
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(json.loads(response.content.decode('utf-8'))['message'], expected_message)
diff --git a/edxval/views.py b/edxval/views.py
@@ -8,9 +8,10 @@
 from django.core.exceptions import ValidationError
 from django.shortcuts import get_object_or_404
 from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
+from edx_rest_framework_extensions.permissions import IsStaff
 from rest_framework import generics, status
 from rest_framework.authentication import SessionAuthentication
-from rest_framework.permissions import DjangoModelPermissions
+from rest_framework.permissions import DjangoModelPermissions, IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -423,6 +424,7 @@ class VideoTranscriptBulkDelete(APIView):
     View to bulk delete video transcripts
     """
     authentication_classes = (JwtAuthentication, SessionAuthentication)
+    permission_classes = (IsAuthenticated, IsStaff)
 
     def post(self, request):
         """