refactor: update view_auth_classes decorator to include permission checks for authenticated users

BryanttV · BryanttV · commit edca9e8cc6a3 · 2025-10-03T19:09:18.000-05:00
diff --git a/openedx_authz/rest_api/utils.py b/openedx_authz/rest_api/utils.py
@@ -4,27 +4,30 @@
 from django.db.models import Q
 from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
 from edx_rest_framework_extensions.auth.session.authentication import SessionAuthenticationAllowInactiveUser
+from rest_framework.permissions import IsAuthenticated
 
 User = get_user_model()
 
 
-def view_auth_classes(func_or_class):
+def view_auth_classes(is_authenticated=True):
     """
-    Function and class decorator that abstracts the authentication classes for api views.
+    Function and class decorator that abstracts the authentication and permission checks for api views.
     """
 
     def _decorator(func_or_class):
         """
-        Requires either OAuth2 or Session-based authentication;
-        are the same authentication classes used on edx-platform
+        Requires either OAuth2 or Session-based authentication.
         """
         func_or_class.authentication_classes = (
             JwtAuthentication,
             SessionAuthenticationAllowInactiveUser,
         )
+        func_or_class.permission_classes = ()
+        if is_authenticated:
+            func_or_class.permission_classes += (IsAuthenticated,)
         return func_or_class
 
-    return _decorator(func_or_class)
+    return _decorator
 
 
 def get_user_by_username_or_email(username_or_email: str) -> User:
diff --git a/openedx_authz/rest_api/v1/views.py b/openedx_authz/rest_api/v1/views.py
@@ -11,7 +11,6 @@
 from django.contrib.auth import get_user_model
 from django.http import HttpRequest
 from rest_framework import status
-from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -34,7 +33,7 @@
 User = get_user_model()
 
 
-@view_auth_classes
+@view_auth_classes()
 class PermissionValidationView(APIView):
     """
     API view for validating user permissions against authorization policies.
@@ -44,8 +43,6 @@ class PermissionValidationView(APIView):
     Supports batch permission validation through POST request.
     """
 
-    permission_classes = [IsAuthenticated]
-
     @apidocs.schema(
         body=PermissionValidationSerializer(help_text="The permissions to validate", many=True),
         responses={
@@ -81,13 +78,12 @@ def post(self, request: HttpRequest) -> Response:
         return Response(serializer.data, status=status.HTTP_200_OK)
 
 
-@view_auth_classes
+@view_auth_classes()
 class RoleUserAPIView(APIView):
     """
     API view for managing user-role assignments within specific scope.
     """
 
-    permission_classes = [IsAuthenticated]
     pagination_class = AuthZAPIViewPagination
 
     @apidocs.schema(
@@ -187,13 +183,12 @@ def delete(self, request: HttpRequest) -> Response:
         return Response(response_data, status=status.HTTP_207_MULTI_STATUS)
 
 
-@view_auth_classes
+@view_auth_classes()
 class RoleListView(APIView):
     """
     API view for retrieving role definitions and their associated permissions.
     """
 
-    permission_classes = [IsAuthenticated]
     pagination_class = AuthZAPIViewPagination
 
     @apidocs.schema(
