Add permissions to API (#68)

* Add auth to server and fix user.service to accommodate it

* Fix tests

* Fix test

client/src/app/services/user.service.ts

@@ -1,5 +1,5 @@
 import { Injectable } from '@angular/core';
-import { Http, Response } from '@angular/http';
+import { Http, Response, Headers, RequestOptions } from '@angular/http';
 import { Observable } from 'rxjs/Rx';
 
 import { environment } from '../../environments/environment';
@@ -12,8 +12,16 @@ export class UserService {
     private http: Http,
   ) { }
 
+  private appendToken(): RequestOptions {
+    const headers = new Headers();
+    headers.append('Authorization', `Basic ${btoa('admin:pass')}`);
+    return new RequestOptions({ headers: headers });
+  }
+
   getUsers(): Observable<User[]> {
-    return this.http.get(`${environment.server}/api/users`)
+    const options = this.appendToken();
+
+    return this.http.get(`${environment.server}/api/users`, options)
       .map(res => res.json())
       .catch(this.handleError);
   }

server/api/tests.py

@@ -1,16 +1,22 @@
 from rest_framework import status
 from rest_framework.test import APITestCase
 from django.contrib.auth.models import User
+from requests.auth import HTTPBasicAuth
 
 
 class UsersApiTestCase(APITestCase):
     def setUp(self):
         User.objects.create_superuser('admin', 'admin@example.com', 'admin12345')
 
     def test_get_users_objects(self):
+        self.client.login(username='admin', password='admin12345')
         response = self.client.get('/api/users/', format='json')
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(len(response.data), 1)
         self.assertEqual(response.data[0]['email'], 'admin@example.com')
         self.assertEqual(response.data[0]['username'], 'admin')
-        self.assertEqual(response.data[0]['url'], 'http://testserver/api/users/1/')
+        self.assertEqual(response.data[0]['url'], 'http://testserver/api/users/2/')
+
+    def test_forbidden_get_users_objects(self):
+        response = self.client.get('/api/users/', format='json')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

server/config/settings.py

@@ -25,7 +25,7 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = os.environ.get('DEBUG', False)
 
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ['localhost']
 
 CORS_ORIGIN_WHITELIST = (
     'localhost:4200',
@@ -137,6 +137,13 @@
     },
 }
 
+# REST API
+REST_FRAMEWORK = {
+    'DEFAULT_PERMISSION_CLASSES': (
+        'rest_framework.permissions.IsAuthenticated',
+    )
+}
+
 
 # Internationalization
 # https://docs.djangoproject.com/en/1.11/topics/i18n/

server/locustfile.py

@@ -2,16 +2,10 @@
 
 
 class UserBehavior(TaskSet):
-    # def on_start(self):
-    #     """ on_start is called when a Locust start before any task is scheduled """
-    #     self.login()
-
-    # def login(self):
-    #     self.client.post("/login", {"username":"ellen_key", "password":"education"})
-
     @task(1)
     def users(self):
-        self.client.get('/api/users')
+        self.client.login(username='admin', password='pass')
+        self.client.get('/api/users', serlf.headers)
 
 
 class WebsiteUser(HttpLocust):