added tests, fixed an error the tests revealed

Author: Jens Timmerman

oauth2_provider/ext/rest_framework/permissions.py

@@ -3,6 +3,7 @@
 from django.core.exceptions import ImproperlyConfigured
 
 from rest_framework.permissions import BasePermission, IsAuthenticated
+from .authentication import OAuth2Authentication
 
 from ...settings import oauth2_settings
 
@@ -89,11 +90,18 @@ def get_scopes(self, request, view):
 class IsAuthenticatedOrTokenHasScope(BasePermission):
     """
     The user is authenticated using some backend or the token has the right scope
+    This only returns True if the user is authenticated, but not using a token
+    or using a token, and the token has the correct scope.
+
     This is usefull when combined with the DjangoModelPermissions to allow people browse the browsable api's
     if they log in using the a non token bassed middleware,
     and let them access the api's using a rest client with a token
     """
     def has_permission(self, request, view):
-        is_authenticated = IsAuthenticated()
+        is_authenticated = IsAuthenticated().has_permission(request, view)
+        oauth2authenticated = False
+        if is_authenticated:
+            oauth2authenticated = isinstance(request.successful_authenticator, OAuth2Authentication)
+
         token_has_scope = TokenHasScope()
-        return is_authenticated.has_permission(request, view) or token_has_scope.has_permission(request, view)
+        return (is_authenticated and not oauth2authenticated) or token_has_scope.has_permission(request, view)

oauth2_provider/tests/test_rest_framework.py

@@ -19,7 +19,9 @@
 try:
     from rest_framework import permissions
     from rest_framework.views import APIView
+    from rest_framework.test import force_authenticate, APIRequestFactory
     from ..ext.rest_framework import OAuth2Authentication, TokenHasScope, TokenHasReadWriteScope, TokenHasResourceScope
+    from ..ext.rest_framework import IsAuthenticatedOrTokenHasScope
 
     class MockView(APIView):
         permission_classes = (permissions.IsAuthenticated,)
@@ -37,6 +39,10 @@ class ScopedView(OAuth2View):
         permission_classes = [permissions.IsAuthenticated, TokenHasScope]
         required_scopes = ['scope1']
 
+    class AuthenticatedOrScopedView(OAuth2View):
+        permission_classes = [IsAuthenticatedOrTokenHasScope]
+        required_scopes = ['scope1']
+
     class ReadWriteScopedView(OAuth2View):
         permission_classes = [permissions.IsAuthenticated, TokenHasReadWriteScope]
 
@@ -51,6 +57,7 @@ class ResourceScopedView(OAuth2View):
         url(r'^oauth2-scoped-test/$', ScopedView.as_view()),
         url(r'^oauth2-read-write-test/$', ReadWriteScopedView.as_view()),
         url(r'^oauth2-resource-scoped-test/$', ResourceScopedView.as_view()),
+        url(r'^oauth2-authenticated-or-scoped-test/$', AuthenticatedOrScopedView.as_view()),
     )
 
     rest_framework_installed = True
@@ -105,6 +112,24 @@ def test_authentication_denied(self):
         response = self.client.get("/oauth2-test/", HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 401)
 
+    @unittest.skipUnless(rest_framework_installed, 'djangorestframework not installed')
+    def test_authentication_or_scope_denied(self):
+        # user is not authenticated
+        # not a correct token
+        auth = self._create_authorization_header("fake-token")
+        response = self.client.get("/oauth2-authenticated-or-scoped-test/", HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 401)
+        # token doesn't have correct scope
+        auth = self._create_authorization_header(self.access_token.token)
+
+        factory = APIRequestFactory()
+        request = factory.get("/oauth2-authenticated-or-scoped-test/")
+        request.auth = auth
+        force_authenticate(request, token=self.access_token)
+        response = AuthenticatedOrScopedView.as_view()(request)
+        # authenticated but wrong scope, this is 403, not 401
+        self.assertEqual(response.status_code, 403)
+
     @unittest.skipUnless(rest_framework_installed, 'djangorestframework not installed')
     def test_scoped_permission_allow(self):
         self.access_token.scope = 'scope1'
@@ -114,6 +139,33 @@ def test_scoped_permission_allow(self):
         response = self.client.get("/oauth2-scoped-test/", HTTP_AUTHORIZATION=auth)
         self.assertEqual(response.status_code, 200)
 
+    @unittest.skipUnless(rest_framework_installed, 'djangorestframework not installed')
+    def test_authenticated_or_scoped_permission_allow(self):
+        self.access_token.scope = 'scope1'
+        self.access_token.save()
+        # correct token and correct scope
+        auth = self._create_authorization_header(self.access_token.token)
+        response = self.client.get("/oauth2-authenticated-or-scoped-test/", HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 200)
+
+        auth = self._create_authorization_header("fake-token")
+        # incorrect token  but authenticated
+        factory = APIRequestFactory()
+        request = factory.get("/oauth2-authenticated-or-scoped-test/")
+        request.auth = auth
+        force_authenticate(request, self.test_user)
+        response = AuthenticatedOrScopedView.as_view()(request)
+        self.assertEqual(response.status_code, 200)
+
+        # correct token  but not authenticated
+        request = factory.get("/oauth2-authenticated-or-scoped-test/")
+        request.auth = auth
+        self.access_token.scope = 'scope1'
+        self.access_token.save()
+        force_authenticate(request, token=self.access_token)
+        response = AuthenticatedOrScopedView.as_view()(request)
+        self.assertEqual(response.status_code, 200)
+
     @unittest.skipUnless(rest_framework_installed, 'djangorestframework not installed')
     def test_scoped_permission_deny(self):
         self.access_token.scope = 'scope2'