Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Only allow paid staff access to API.

Signed-off-by: James Socol <james@mozilla.com>
  • Loading branch information...
commit 807e89a8ddb1b5b9ff4098d835d52abedb32665e 1 parent 66f4c9d
@aakashhdesai aakashhdesai authored James Socol committed
View
60 apps/phonebook/templates/phonebook/edit_profile.html
@@ -27,7 +27,9 @@
<li><a href="#skills" data-toggle="tab">{{ _('Skills & Groups') }}</a></li>
<li><a href="#vouches" data-toggle="tab">{{ _('Vouches & Invites') }}</a></li>
<li><a href="#account" data-toggle="tab">{{ _('Account') }}</a></li>
- <li><a href="#services" data-toggle="tab">{{ _('Services') }}</a></li>
+ {% if user.get_profile().groups.filter(name='staff') and user.get_profile().is_vouched %}
+ <li><a href="#services" data-toggle="tab">{{ _('Services') }}</a></li>
+ {% endif %}
</ul>
<div class="tab-content">
<div class="tab-pane active" id="1">
@@ -144,32 +146,40 @@
</div>
</div>
</div>
- <div class="tab-pane" id="services">
- <div class="control-group">
- <p class="field_description">
- {% trans %}
- The Mozillians' Phonebook offers an API to Vouched Mozillians to help authorize
- contributors and share profile data to other tools and sites. This means that sites
- like <a href="http://bugzilla.mozilla.org">Bugzilla</a> and the
- <a href="http://reps.mozilla.org">Mozilla Reps Portal</a> can give you greater access
- to features and functionality as a Vouched Mozillian as well as populate your Mozillian
- profile data automatically.
- {% endtrans %}
- </p>
- <h2>{{ _("API") }}</h2>
- <label class="control-label">{{ _("Api Key") }}</label>
- <div class="controls">
- <span class="label-text">
- <div class="input-append">
- <input id="api-key" type="text" class="span4" autocomplete="off" data-value="{{ profile.get_api_key() }}" value="{{ profile.get_api_key() }}">
- <button type="submit" name="reset_api_key" class="btn btn-mini btn-danger">
- {{ _("Generate new API Key") }}
- </button>
- </div>
- </span>
+ {% if user.get_profile().groups.filter(name='staff') and user.get_profile().is_vouched %}
+ <div class="tab-pane" id="services">
+ <div class="control-group">
+ <p class="field_description">
+ {% trans %}
+ The Phonebook offers an API to help authorize contributors and share profile
+ data to other tools and sites like <a href="http://bugzilla.mozilla.org">Bugzilla</a>
+ and the <a href="http://reps.mozilla.org">Mozilla Reps Portal</a>.
+ {% endtrans %}
+ </p>
+ <h2>{{ _("Developers") }}</h2>
+ <p class="field_description">
+ {% trans %}
+ Take a look at the list of the <a href="/api/v1/">API methods we've made available</a>. To use this API,
+ you'll need to get approval from the Privacy team. To get started,
+ <a href="https://bugzilla.mozilla.org/enter_bug.cgi?product=Data%20Safety">file a bug</a>.
+ If you have any questions, talk to us in our <a href="http://groups.google.com/group/mozilla-dev-community-tools/">
+ development forum</a>.
+ {% endtrans %}
+ </p>
+ <label class="control-label">{{ _("Api Key") }}</label>
+ <div class="controls">
+ <span class="label-text">
+ <div class="input-append">
+ <input id="api-key" type="text" class="span4" autocomplete="off" data-value="{{ profile.get_api_key() }}" value="{{ profile.get_api_key() }}">
+ <button type="submit" name="reset_api_key" class="btn btn-mini btn-danger">
+ {{ _("Generate new API Key") }}
+ </button>
+ </div>
+ </span>
+ </div>
</div>
</div>
- </div>
+ {% endif %}
</div>
</div>
<div id="edit_controls">
View
30 apps/phonebook/tests/test_views.py
@@ -3,6 +3,7 @@
from django import test
from django.contrib.auth.models import User
+from django.test.utils import override_settings
import test_utils
from nose.tools import eq_
@@ -315,27 +316,44 @@ def test_replace_photo(self):
new_photo = doc('#profile-photo').attr('src')
assert new_photo != old_photo
+ @override_settings(AUTO_VOUCH_DOMAINS=('example.com',))
def test_api_key(self):
"""Assert that the Api key will be created and displayed"""
- client = self.mozillian_client
- r = client.get(reverse('profile.edit'), follow=True)
+ u = user(email='test@example.com')
+ assert self.client.login(email=u.email)
+ r = self.client.get(reverse('profile.edit'), follow=True)
+ eq_(200, r.status_code)
doc = pq(r.content)
api_key = doc('#api-key').attr('value')
- p = self.mozillian.get_profile()
+ p = u.get_profile()
assert p.get_api_key() == api_key
+ @override_settings(AUTO_VOUCH_DOMAINS=('example.com',))
+ def test_non_staff_api_kei(self):
+ """Assert that non-auto-vouched users don't have an API key."""
+ u = user(email='test@another.com', is_vouched=True)
+ assert self.client.login(email=u.email)
+ r = self.client.get(reverse('profile.edit'), follow=True)
+ eq_(200, r.status_code)
+
+ doc = pq(r.content)
+ eq_(0, len(doc('#api-key')))
+
+ @override_settings(AUTO_VOUCH_DOMAINS=('example.com',))
def test_reset_api_key(self):
"""Assert that resetingthe aPI key changes it."""
- client = self.mozillian_client
- r = client.get(reverse('profile.edit'), follow=True)
+ u = user(email='test@example.com')
+ assert self.client.login(email=u.email)
+ r = self.client.get(reverse('profile.edit'), follow=True)
+ eq_(200, r.status_code)
doc = pq(r.content)
original_api_key = doc('#api-key').attr('value')
data = {'reset_api_key': True}
- r = client.post(reverse('profile.edit'), data, follow=True)
+ r = self.client.post(reverse('profile.edit'), data, follow=True)
doc = pq(r.content)
new_api_key = doc('#api-key').attr('value')
View
16 apps/users/api.py
@@ -23,13 +23,27 @@ def is_authenticated(self, request, **kwargs):
def get_identifier(self, request):
return request.user.username
+class PaidStaffAuthentication(Authentication):
+ """
+ API Authentication that only lets in paid staff users
+ """
+ def is_authenticated(self, request, **kwargs):
+ user = request.user
+ if (user.is_authenticated() and
+ user.get_profile().groups.filter(name='staff')):
+ return True
+
+ return False
+
+ def get_identifier(self,request):
+ return request.user.username
class UserProfileResource(ModelResource):
email = fields.CharField(attribute='email', null=True, readonly=True)
class Meta:
queryset = UserProfile.objects.select_related()
- authentication = VouchedAuthentication()
+ authentication = PaidStaffAuthentication()
authorization = ReadOnlyAuthorization()
serializer = HTMLSerializer()
list_allowed_methods = ['get']
Please sign in to comment.
Something went wrong with that request. Please try again.