Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add filter backends and limit the list view to super or staff u… #203

Merged
merged 1 commit into from
Jul 16, 2024
Merged

feat: add filter backends and limit the list view to super or staff u… #203

merged 1 commit into from
Jul 16, 2024

Conversation

andrey-canon
Copy link
Collaborator

Description

  1. Added SearchFilter with search_fields ["candidate__username", "course__id"] to enable search functionality.
  2. Updated the list method of the viewset to restrict access to staff or superusers only.
Change Objective:

Enhance endpoint security and functionality by limiting access to authorized users.
Facilitate event searches by user and course using the SearchFilter.

Testing instructions

  1. Make a request to /eox-nelp/api/pearson_vue/v1/resultNotification/ with a staff or super user, expected behavior => list of records returned
  2. Make a request to /eox-nelp/api/pearson_vue/v1/resultNotification/ with a non staff , expected behavior => 404
  3. Make a request with the search query param /eox-nelp/api/pearson_vue/v1/resultNotification/?search=course-v1:edx%2BCS101%2B2023_t4 or /eox-nelp/api/pearson_vue/v1/resultNotification/?search=<username> expected behavior => filtered list of records

@johanseto johanseto self-assigned this Jul 16, 2024
johanseto
johanseto reviewed Jul 16, 2024
View reviewed changes
eox_nelp/pearson_vue/api/v1/views.py
Raises:
Http404: If the user does not have the necessary permissions.
"""
if request.user.is_superuser or request.user.is_staff:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this force that the User used for the application to get the token, needs to be staff?
I think that only creating the application was enough to get a token and use the API.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you are not staff you shouldn't be able to get data from another users

johanseto
johanseto approved these changes Jul 16, 2024
View reviewed changes
Copy link
Collaborator

@johanseto johanseto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrey-canon andrey-canon force-pushed the and/change_candidate_representation branch from 98bb029 to fc79f4e Compare July 16, 2024 22:47
@andrey-canon andrey-canon changed the base branch from and/change_candidate_representation to master July 16, 2024 22:52
@andrey-canon andrey-canon force-pushed the and/add_filter_and_staff_condition branch from 2cdf9af to 8522875 Compare July 16, 2024 22:53
@andrey-canon andrey-canon merged commit ecd6383 into master Jul 16, 2024
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johanseto johanseto johanseto approved these changes

Assignees

@johanseto johanseto

Labels
size/s test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andrey-canon @johanseto