Merge pull request #216 from compute-tooling/anon-user-rest

Fix create API permissions
compute-tooling · Oct 3, 2019 · 3c7a2d4 · 3c7a2d4
2 parents 207e4d1 + 4319e5e
commit 3c7a2d4
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/webapp/apps/comp/permissions.py b/webapp/apps/comp/permissions.py
@@ -3,7 +3,11 @@
 
 class RequiresActive(BasePermission):
     def has_permission(self, request, view):
-        return bool(request.user.profile and request.user.profile.is_active)
+        return bool(
+            request.user.is_authenticated
+            and request.user.profile
+            and request.user.profile.is_active
+        )
 
 
 class RequiresPayment(BasePermission):

diff --git a/webapp/apps/comp/tests/test_asyncviews.py b/webapp/apps/comp/tests/test_asyncviews.py
@@ -414,3 +414,11 @@ def test_outputs_api(db, api_client, profile, password):
         api_client.put("/outputs/api/", data={"bad": "data"}, format="json").status_code
         == 400
     )
+
+
+def test_anon_get_create_api(db, api_client):
+    anon_user = auth.get_user(api_client)
+    assert not anon_user.is_authenticated
+
+    resp = api_client.get("/hdoupe/Matchups/api/v1/")
+    assert resp.status_code == 403