Merge branch 'anon-bypass-scopes' into 'master'

Ignore user scope checking for unauthenticated users

Closes #554 and #756

See merge request !1382

arkindex/images/tests/test_image_api.py

@@ -311,6 +311,16 @@ class TestImageApi(FixtureAPITestCase):
             }
         })
 
+    def test_create_iiif_image_requires_login(self):
+        response = self.client.post(
+            reverse('api:iiif-url-create'),
+            {'url': 'https://test-server.eu/images/image_path'}
+        )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertDictEqual(response.json(), {
+            'detail': 'Authentication credentials were not provided.'
+        })
+
     def test_create_iiif_image_scope(self):
         self.assertFalse(self.user.user_scopes.filter(scope=Scope.CreateIIIFImage).exists())
         self.client.force_login(self.user)

arkindex/project/permissions.py

@@ -39,8 +39,8 @@ class UserScopePermissionMixin(object):
 
     def has_permission(self, request, view):
         scopes = self.get_scopes(view, request.method)
-        # Skip this permission mixin if there are no defined scopes or if the user is an admin
-        if not scopes or (request.user.is_authenticated and request.user.is_admin):
+        # Skip this permission mixin if there are no defined scopes, if the user is not logged in or is an admin
+        if not scopes or not request.user.is_authenticated or request.user.is_admin:
             return super().has_permission(request, view)
 
         missing_scopes = set(scopes)