Add ability to restrict API to authenticated only users.

iodide-project · Jun 11, 2019 · f8fa414 · f8fa414
1 parent 6bf046d
commit f8fa414
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 10 deletions.
diff --git a/server/files/api_views.py b/server/files/api_views.py
@@ -1,7 +1,7 @@
 import json
 
 from django.core.exceptions import PermissionDenied
-from rest_framework import permissions, viewsets
+from rest_framework import viewsets
 from rest_framework.response import Response
 
 from .models import File
@@ -10,7 +10,6 @@
 
 class FileViewSet(viewsets.ModelViewSet):
 
-    permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
     serializer_class = FilesSerializer
 
     http_method_names = ["post", "put", "delete"]

diff --git a/server/notebooks/api_views.py b/server/notebooks/api_views.py
@@ -3,7 +3,7 @@
 from django.db import transaction
 from django.http import Http404
 from django.shortcuts import get_object_or_404
-from rest_framework import permissions, viewsets
+from rest_framework import viewsets
 from rest_framework.exceptions import ValidationError
 
 from .models import Notebook, NotebookRevision
@@ -17,8 +17,6 @@
 
 class NotebookViewSet(viewsets.ModelViewSet):
 
-    permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
-
     # modifying a notebook doesn't make sense once created (if you want to
     # change the title, add a revision doing just that)
     http_method_names = ["get", "post", "head", "delete"]
@@ -66,8 +64,6 @@ def perform_create(self, serializer):
 
 class NotebookRevisionViewSet(viewsets.ModelViewSet):
 
-    permission_classes = (permissions.IsAuthenticatedOrReadOnly,)
-
     # revisions should be considered immutable once created
     http_method_names = ["get", "post", "head", "delete"]
 

diff --git a/server/settings.py b/server/settings.py
@@ -89,6 +89,8 @@
     "server.files",
 ]
 
+RESTRICT_API = env.bool("RESTRICT_API", default=False)
+
 REST_FRAMEWORK = {
     "DEFAULT_AUTHENTICATION_CLASSES": [
         "rest_framework.authentication.SessionAuthentication",
@@ -97,6 +99,14 @@
     ]
 }
 
+if RESTRICT_API:
+    REST_FRAMEWORK["DEFAULT_PERMISSION_CLASSES"] = ("rest_framework.permissions.IsAuthenticated",)
+else:
+    REST_FRAMEWORK["DEFAULT_PERMISSION_CLASSES"] = (
+        "rest_framework.permissions.IsAuthenticatedOrReadOnly",
+    )
+
+
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
     "whitenoise.middleware.WhiteNoiseMiddleware",

diff --git a/server/tests/test_jwt_authentication.py b/server/tests/test_jwt_authentication.py
@@ -1,6 +1,3 @@
-from datetime import timedelta
-from time import sleep
-
 import pytest
 from django.urls import reverse
 from freezegun import freeze_time