Merge pull request #656 from openedx/ENT-8871/auth-for-license-provis…

…ioning [ENT-8871] - Implement Access Control for Provisioning
openedx · May 27, 2024 · c17b421 · c17b421
2 parents 9024bf2 + d1f2ae9
commit c17b421
Show file tree

Hide file tree

Showing 5 changed files with 212 additions and 97 deletions.
diff --git a/license_manager/apps/api/permissions.py b/license_manager/apps/api/permissions.py
@@ -13,3 +13,18 @@ class CanRetireUser(permissions.BasePermission):
 
     def has_permission(self, request, view):
         return request.user.username == settings.RETIREMENT_SERVICE_WORKER_USERNAME or request.user.is_superuser
+
+
+class IsInProvisioningAdminGroup(permissions.BasePermission):
+    """
+    Grant access to those users only who are part of the license provisiioning django group
+    """
+    ALLOWED_API_GROUPS = ['provisioning-admins-group']
+    message = 'Access denied: You do not have the necessary permissions to access this.'
+
+    def has_permission(self, request, view):
+        return (
+            super().has_permission(request, view) and (
+                request.user.groups.filter(name__in=self.ALLOWED_API_GROUPS).exists()
+            )
+        )
diff --git a/license_manager/apps/api/v1/tests/constants.py b/license_manager/apps/api/v1/tests/constants.py
@@ -3,6 +3,7 @@
 
 # Constants for subscriptions API tests
 SUBSCRIPTION_RENEWAL_DAYS_OFFSET = 500
+PROVISIONING_ADMINS_GROUP = "provisioning-admins-group"
 
 ADMIN_ROLES = {
     'system_role': constants.SYSTEM_ENTERPRISE_ADMIN_ROLE,