Skip to content

Commit

Permalink
fix: component asset api views (#35765)
Browse files Browse the repository at this point in the history
Uses drf view to authenticate user before allowing them to access library static assets.
  • Loading branch information
navinkarkera authored Nov 7, 2024
1 parent db587bd commit ca7da37
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 17 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -1066,8 +1066,8 @@ def test_library_paste_clipboard(self):
self._get_library_block_asset(pasted_usage_key, "static/hello.txt")

# Compare the two text files
src_data = self.client.get(f"/library_assets/blocks/{usage_key}/static/hello.txt").content
dest_data = self.client.get(f"/library_assets/blocks/{pasted_usage_key}/static/hello.txt").content
src_data = self.client.get(f"/library_assets/blocks/{usage_key}/static/hello.txt").getvalue()
dest_data = self.client.get(f"/library_assets/blocks/{pasted_usage_key}/static/hello.txt").getvalue()
assert src_data == dest_data

# Check that the new block was created after the paste and it's content matches
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -168,12 +168,12 @@ def test_anonymous_user(self):
response = self.client.get(
f"/library_assets/component_versions/{self.draft_component_version.uuid}/static/test.svg"
)
assert response.status_code == 403
assert response.status_code == 401

def test_unauthorized_user(self):
"""User who is not a Content Library staff should not have access."""
self.client.logout()
student = UserFactory.create(
UserFactory.create(
username="student",
email="student@example.com",
password="student-pass",
Expand Down
4 changes: 2 additions & 2 deletions openedx/core/djangoapps/content_libraries/urls.py
Original file line number Diff line number Diff line change
Expand Up @@ -79,12 +79,12 @@
path('library_assets/', include([
path(
'component_versions/<uuid:component_version_uuid>/<path:asset_path>',
views.component_version_asset,
views.LibraryComponentAssetView.as_view(),
name='library-assets',
),
path(
'blocks/<usage_v2:usage_key>/<path:asset_path>',
views.component_draft_asset,
views.LibraryComponentDraftAssetView.as_view(),
name='library-draft-assets',
),
])
Expand Down
38 changes: 27 additions & 11 deletions openedx/core/djangoapps/content_libraries/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,6 @@
from django.utils.translation import gettext as _
from django.views.decorators.clickjacking import xframe_options_exempt
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.http import require_safe
from django.views.generic.base import TemplateResponseMixin, View
from pylti1p3.contrib.django import DjangoCacheDataStorage, DjangoDbToolConf, DjangoMessageLaunch, DjangoOIDCLogin
from pylti1p3.exception import LtiException, OIDCException
Expand Down Expand Up @@ -1163,8 +1162,7 @@ def get(self, request):
return JsonResponse(self.lti_tool_config.get_jwks(), safe=False)


@require_safe
def component_version_asset(request, component_version_uuid, asset_path):
def get_component_version_asset(request, component_version_uuid, asset_path):
"""
Serves static assets associated with particular Component versions.
Expand Down Expand Up @@ -1234,16 +1232,34 @@ def component_version_asset(request, component_version_uuid, asset_path):
)


@require_safe
def component_draft_asset(request, usage_key, asset_path):
@view_auth_classes()
class LibraryComponentAssetView(APIView):
"""
Serves static assets associated with particular Component versions.
"""
@convert_exceptions
def get(self, request, component_version_uuid, asset_path):
"""
GET API for fetching static asset for given component_version_uuid.
"""
return get_component_version_asset(request, component_version_uuid, asset_path)


@view_auth_classes()
class LibraryComponentDraftAssetView(APIView):
"""
Serves the draft version of static assets associated with a Library Component.
See `component_version_asset` for more details
See `get_component_version_asset` for more details
"""
try:
component_version_uuid = api.get_component_from_usage_key(usage_key).versioning.draft.uuid
except ObjectDoesNotExist as exc:
raise Http404() from exc
@convert_exceptions
def get(self, request, usage_key, asset_path):
"""
Fetches component_version_uuid for given usage_key and returns component asset.
"""
try:
component_version_uuid = api.get_component_from_usage_key(usage_key).versioning.draft.uuid
except ObjectDoesNotExist as exc:
raise Http404() from exc

return component_version_asset(request, component_version_uuid, asset_path)
return get_component_version_asset(request, component_version_uuid, asset_path)

0 comments on commit ca7da37

Please sign in to comment.