API V3: add IsAuthenticated to permissions (#10452)

This isn't a security vulnerability,
we were filtering by the current user.

This was just causing errors, since we were expecting
a real user in some queries.

These views are used in .com only, so I have added tests there.

Ref https://read-the-docs.sentry.io/issues/4261898141/?alert_rule_id=242443&alert_timestamp=1687234764178&alert_type=email&environment=production&project=161479&referrer=alert_email

Author: stsewd

readthedocs/api/v3/tests/test_builds.py

@@ -19,26 +19,36 @@
 class BuildsEndpointTests(APIEndpointMixin):
 
     def test_projects_builds_list(self):
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.get(
-            reverse(
-                'projects-builds-list',
-                kwargs={
-                    'parent_lookup_project__slug': self.project.slug,
-                }),
+        url = reverse(
+            "projects-builds-list",
+            kwargs={
+                "parent_lookup_project__slug": self.project.slug,
+            },
         )
+
+        self.client.logout()
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 401)
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.get(url)
         self.assertEqual(response.status_code, 200)
 
     def test_projects_builds_detail(self):
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.get(
-            reverse(
-                'projects-builds-detail',
-                kwargs={
-                    'parent_lookup_project__slug': self.project.slug,
-                    'build_pk': self.build.pk,
-                }),
+        url = reverse(
+            "projects-builds-detail",
+            kwargs={
+                "parent_lookup_project__slug": self.project.slug,
+                "build_pk": self.build.pk,
+            },
         )
+
+        self.client.logout()
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 401)
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.get(url)
         self.assertEqual(response.status_code, 200)
 
         self.assertDictEqual(
@@ -47,16 +57,21 @@ def test_projects_builds_detail(self):
         )
 
     def test_projects_versions_builds_list_post(self):
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        self.assertEqual(self.project.builds.count(), 1)
-        response = self.client.post(
-            reverse(
-                'projects-versions-builds-list',
-                kwargs={
-                    'parent_lookup_project__slug': self.project.slug,
-                    'parent_lookup_version__slug': self.version.slug,
-                }),
+        url = reverse(
+            "projects-versions-builds-list",
+            kwargs={
+                "parent_lookup_project__slug": self.project.slug,
+                "parent_lookup_version__slug": self.version.slug,
+            },
         )
+
+        self.client.logout()
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 401)
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        self.assertEqual(self.project.builds.count(), 1)
+        response = self.client.post(url)
         self.assertEqual(response.status_code, 202)
         self.assertEqual(self.project.builds.count(), 2)
 

readthedocs/api/v3/tests/test_environmentvariables.py

@@ -132,15 +132,19 @@ def test_projects_environmentvariables_list_post(self):
         )
 
     def test_projects_environmentvariables_detail_delete(self):
-        self.assertEqual(self.project.environmentvariable_set.count(), 1)
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.delete(
-            reverse(
-                'projects-environmentvariables-detail',
-                kwargs={
-                    'parent_lookup_project__slug': self.project.slug,
-                    'environmentvariable_pk': self.environmentvariable.pk,
-                }),
+        url = reverse(
+            "projects-environmentvariables-detail",
+            kwargs={
+                "parent_lookup_project__slug": self.project.slug,
+                "environmentvariable_pk": self.environmentvariable.pk,
+            },
         )
+        self.client.logout()
+        response = self.client.delete(url)
+        self.assertEqual(response.status_code, 401)
+
+        self.assertEqual(self.project.environmentvariable_set.count(), 1)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.delete(url)
         self.assertEqual(response.status_code, 204)
         self.assertEqual(self.project.environmentvariable_set.count(), 0)

readthedocs/api/v3/tests/test_projects.py

@@ -18,10 +18,14 @@
 class ProjectsEndpointTests(APIEndpointMixin):
 
     def test_projects_list(self):
+        url = reverse("projects-list")
+
+        self.client.logout()
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 401)
+
         self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.get(
-            reverse('projects-list'),
-        )
+        response = self.client.get(url)
         self.assertEqual(response.status_code, 200)
         self.assertDictEqual(
             response.json(),
@@ -96,21 +100,26 @@ def test_projects_list_filter_miss(self):
         )
 
     def test_own_projects_detail(self):
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.get(
-            reverse(
-                'projects-detail',
-                kwargs={
-                    'project_slug': self.project.slug,
-                }),
-            {
-                'expand': (
-                    'active_versions,'
-                    'active_versions.last_build,'
-                    'active_versions.last_build.config'
-                ),
+        url = reverse(
+            "projects-detail",
+            kwargs={
+                "project_slug": self.project.slug,
             },
         )
+        data = {
+            "expand": (
+                "active_versions,"
+                "active_versions.last_build,"
+                "active_versions.last_build.config"
+            ),
+        }
+
+        self.client.logout()
+        response = self.client.get(url, data)
+        self.assertEqual(response.status_code, 401)
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.get(url, data)
         self.assertEqual(response.status_code, 200)
 
         self.assertDictEqual(
@@ -173,15 +182,20 @@ def test_own_projects_detail_privacy_levels_enabled(self):
 
     def test_projects_superproject(self):
         self._create_subproject()
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.get(
-            reverse(
-                'projects-superproject',
-                kwargs={
-                    'project_slug': self.subproject.slug,
-                },
-            ),
+
+        url = reverse(
+            "projects-superproject",
+            kwargs={
+                "project_slug": self.subproject.slug,
+            },
         )
+
+        self.client.logout()
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 401)
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.get(url)
         self.assertEqual(response.status_code, 200)
 
         self.assertDictEqual(
@@ -247,9 +261,14 @@ def test_import_project(self):
             "programming_language": "py",
             "tags": ["test tag", "template tag"],
         }
+        url = reverse("projects-list")
+
+        self.client.logout()
+        response = self.client.post(url, data)
+        self.assertEqual(response.status_code, 401)
 
         self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.post(reverse('projects-list'), data)
+        response = self.client.post(url, data)
         self.assertEqual(response.status_code, 201)
 
         query = Project.objects.filter(slug='test-project')
@@ -381,17 +400,19 @@ def test_update_project(self):
             "single_version": True,
             "external_builds_enabled": True,
         }
+        url = reverse(
+            "projects-detail",
+            kwargs={
+                "project_slug": self.project.slug,
+            },
+        )
+
+        self.client.logout()
+        response = self.client.put(url, data)
+        self.assertEqual(response.status_code, 401)
 
         self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.put(
-            reverse(
-                'projects-detail',
-                kwargs={
-                    'project_slug': self.project.slug,
-                },
-            ),
-            data,
-        )
+        response = self.client.put(url, data)
         self.assertEqual(response.status_code, 204)
 
         self.project.refresh_from_db()
@@ -422,16 +443,19 @@ def test_partial_update_project(self):
             "tags": ["partial tags", "updated"],
         }
 
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.patch(
-            reverse(
-                'projects-detail',
-                kwargs={
-                    'project_slug': self.project.slug,
-                },
-            ),
-            data,
+        url = reverse(
+            "projects-detail",
+            kwargs={
+                "project_slug": self.project.slug,
+            },
         )
+
+        self.client.logout()
+        response = self.client.patch(url, data)
+        self.assertEqual(response.status_code, 401)
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.patch(url, data)
         self.assertEqual(response.status_code, 204)
 
         self.project.refresh_from_db()

readthedocs/api/v3/tests/test_redirects.py

@@ -170,23 +170,25 @@ def test_projects_redirects_type_sphinx_html_list_post(self):
 
 
     def test_projects_redirects_detail_put(self):
+        url = reverse(
+            "projects-redirects-detail",
+            kwargs={
+                "parent_lookup_project__slug": self.project.slug,
+                "redirect_pk": self.redirect.pk,
+            },
+        )
         data = {
             'from_url': '/changed/',
             'to_url': '/toanother/',
             'type': 'page',
         }
 
+        self.client.logout()
+        response = self.client.put(url, data)
+        self.assertEqual(response.status_code, 401)
+
         self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.put(
-            reverse(
-                'projects-redirects-detail',
-                kwargs={
-                    'parent_lookup_project__slug': self.project.slug,
-                    'redirect_pk': self.redirect.pk,
-                },
-            ),
-            data,
-        )
+        response = self.client.put(url, data)
         self.assertEqual(response.status_code, 200)
 
         response_json = response.json()
@@ -197,16 +199,20 @@ def test_projects_redirects_detail_put(self):
         )
 
     def test_projects_redirects_detail_delete(self):
-        self.assertEqual(self.project.redirects.count(), 1)
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.delete(
-            reverse(
-                'projects-redirects-detail',
-                kwargs={
-                    'parent_lookup_project__slug': self.project.slug,
-                    'redirect_pk': self.redirect.pk,
-                },
-            ),
+        url = reverse(
+            "projects-redirects-detail",
+            kwargs={
+                "parent_lookup_project__slug": self.project.slug,
+                "redirect_pk": self.redirect.pk,
+            },
         )
+
+        self.client.logout()
+        response = self.client.delete(url)
+        self.assertEqual(response.status_code, 401)
+
+        self.assertEqual(self.project.redirects.count(), 1)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.delete(url)
         self.assertEqual(response.status_code, 204)
         self.assertEqual(self.project.redirects.count(), 0)

readthedocs/api/v3/tests/test_remoteorganizations.py

@@ -36,10 +36,14 @@ def setUp(self):
         )
 
     def test_remote_organization_list(self):
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.get(
-            reverse('remoteorganizations-list')
-        )
+        url = reverse("remoteorganizations-list")
+
+        self.client.logout()
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 401)
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.get(url)
         self.assertEqual(response.status_code, 200)
 
         self.assertDictEqual(

readthedocs/api/v3/tests/test_remoterepositories.py

@@ -66,16 +66,15 @@ def setUp(self):
         )
 
     def test_remote_repository_list(self):
-        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
-        response = self.client.get(
-            reverse('remoterepositories-list'),
-            {
-                'expand': (
-                    'projects,'
-                    'remote_organization'
-                )
-            }
-        )
+        url = reverse("remoterepositories-list")
+        data = {"expand": ("projects," "remote_organization")}
+
+        self.client.logout()
+        response = self.client.get(url, data)
+        self.assertEqual(response.status_code, 401)
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.get(url, data)
         self.assertEqual(response.status_code, 200)
 
         self.assertDictEqual(