Remove GET-out of route permissions (datalab-org#754)

* Remove GET-out of route permissions * Rework slightly * Add a test for entirely unauthenticated users * Re-rename decorator
elbee99 · May 31, 2024 · 680bd37 · 680bd37
1 parent b5618f9
commit 680bd37
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 4 deletions.
diff --git a/pydatalab/pydatalab/permissions.py b/pydatalab/pydatalab/permissions.py
@@ -12,14 +12,23 @@
 
 
 def active_users_or_get_only(func):
-    """Decorator to ensure that only active user accounts can access a non-GET route."""
+    """Decorator to ensure that only active user accounts can access the route,
+    unless it is a GET-route, in which case deactivated accounts can also access it.
+
+    """
 
     @wraps(func)
     def wrapped_route(*args, **kwargs):
         if (
-            (current_user.is_authenticated and current_user.account_status == AccountStatus.ACTIVE)
+            (
+                current_user.is_authenticated
+                and (
+                    current_user.account_status == AccountStatus.ACTIVE
+                    or request.method in ("OPTIONS", "GET")
+                )
+            )
             or CONFIG.TESTING
-            or request.method in ("OPTIONS", "GET")
+            or request.method in ("OPTIONS",)
         ):
             return func(*args, **kwargs)
 
@@ -37,7 +46,7 @@ def wrapped_route(*args, **kwargs):
             current_user.is_authenticated
             and current_user.role == UserRole.ADMIN
             and current_user.account_status == AccountStatus.ACTIVE
-        ) or request.method in ("OPTIONS", "GET"):
+        ) or request.method in ("OPTIONS",):
             return func(*args, **kwargs)
 
         if not current_user.is_authenticated:

diff --git a/pydatalab/tests/server/test_permissions.py b/pydatalab/tests/server/test_permissions.py
@@ -25,3 +25,16 @@ def test_deactivated_user_permissions(deactivated_client):
 
     response = client.get("/starting-materials/")
     assert response.status_code == 200
+
+
+def test_unauthenticated_user_permissions(unauthenticated_client):
+    """Test permissions for an unauthenticated user."""
+    client = unauthenticated_client
+    response = client.get("/samples/")
+    assert response.status_code == 401
+
+    response = client.post("/new-sample/", json={"item_id": "test"})
+    assert response.status_code == 401
+
+    response = client.get("/starting-materials/")
+    assert response.status_code == 401