header = settings.HTTP_REMOTE_USER_HEADER_NAME
+ def process_request(self, request: HttpRequest) -> None:
+ # If remote user auth is enabled only for the frontend, not the API,
+ # then we need dont want to authenticate the user for API requests.
+ if (
+ "/api/" in request.path
+ and "paperless.auth.PaperlessRemoteUserAuthentication"
+ not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
+ ):
+ return
+ return super().process_request(request)
+
class PaperlessRemoteUserAuthentication(authentication.RemoteUserAuthentication):
"""
from unittest import mock
from django.contrib.auth.models import User
+from django.test import override_settings
from rest_framework import status
from rest_framework.test import APITestCase
self.assertEqual(response.status_code, status.HTTP_200_OK)
+ @override_settings(
+ REST_FRAMEWORK={
+ "DEFAULT_AUTHENTICATION_CLASSES": [
+ "rest_framework.authentication.BasicAuthentication",
+ "rest_framework.authentication.TokenAuthentication",
+ "rest_framework.authentication.SessionAuthentication",
+ ],
+ },
+ )
+ def test_remote_user_api_disabled(self):
+ """
+ GIVEN:
+ - Configured user
+ - Remote user auth enabled for frontend but disabled for the API
+ - Note that REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] is set in settings.py in production
+ WHEN:
+ - API call is made to get documents
+ THEN:
+ - Call fails
+ """
+ response = self.client.get(
+ "/api/documents/",
+ headers={
+ "Remote-User": self.user.username,
+ },
+ )
+
+ self.assertIn(
+ response.status_code,
+ [status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN],
+ )
+
def test_remote_user_header_setting(self):
"""
GIVEN:
projects / thirdparty / paperless-ngx.git / commitdiff
