Only render the Template API view for authenticated users. Thanks rgarcia for the report.

Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
2018-10-09 19:10:35 -04:00
parent f34bead7d2
commit 15b9c0c56f
3 changed files with 18 additions and 1 deletions
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -7,6 +7,8 @@
  instead of the literal keys. Avoid warning about invalid key 
  characters. Closes GitLab issue #518. Thanks to TheOneValen @ for the
  report.
 * Only render the Template API view for authenticated users.
  Thanks rgarcia for the report.
 3.1.5 (2018-10-08)
 ==================
--- a/mayan/apps/common/api_views.py
+++ b/mayan/apps/common/api_views.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 from django.contrib.contenttypes.models import ContentType
 from rest_framework import generics
 from rest_framework.permissions import IsAuthenticated
 from .classes import Template
 from .serializers import ContentTypeSerializer, TemplateSerializer
@@ -22,6 +23,7 @@ class APITemplateView(generics.RetrieveAPIView):
    get: Retrieve the details of the partial template.
    """
    serializer_class = TemplateSerializer
    permission_classes = (IsAuthenticated,)
    def get_object(self):
        return Template.get(self.kwargs['name']).render(request=self.request)
--- a/mayan/apps/common/tests/test_api.py
+++ b/mayan/apps/common/tests/test_api.py
@@ -7,6 +7,8 @@ from rest_api.tests import BaseAPITestCase
 from ..classes import Template
 TEST_TEMPLATE_RESULT = '<div'
 class CommonAPITestCase(BaseAPITestCase):
    def test_content_type_list_view(self):
@@ -15,6 +17,17 @@ class CommonAPITestCase(BaseAPITestCase):
    @override_settings(LANGUAGE_CODE='de')
    def test_template_detail_view(self):
        self.login_user()
        template_main_menu = Template.get(name='main_menu')
        response = self.client.get(template_main_menu.get_absolute_url())
-        self.assertEqual(response.status_code, 200)
+
        self.assertContains(
            response=response, text=TEST_TEMPLATE_RESULT, status_code=200
        )
    def test_template_detail_anonymous_view(self):
        template_main_menu = Template.get(name='main_menu')
        response = self.client.get(template_main_menu.get_absolute_url())
        self.assertNotContains(
            response=response, text=TEST_TEMPLATE_RESULT, status_code=403
        )