remove deprecated api csrf argument

2025-11-10 14:03:12 +00:00 · 2025-11-09 12:46:22 +01:00
parent 02f7e10729
commit 2e9e1b6a78
10 changed files with 66 additions and 44 deletions
--- a/sas/api.py
+++ b/sas/api.py
@@ -8,7 +8,6 @@ from ninja.security import SessionAuth
 from ninja_extra import ControllerBase, api_controller, paginate, route
 from ninja_extra.exceptions import NotFound, PermissionDenied
 from ninja_extra.pagination import PageNumberPaginationExtra
-from ninja_extra.permissions import IsAuthenticated
 from ninja_extra.schemas import PaginatedResponseSchema
 from pydantic import NonNegativeInt

@@ -41,7 +40,6 @@ class AlbumController(ControllerBase):
    @route.get(
        "/search",
        response=PaginatedResponseSchema[AlbumSchema],
-        permissions=[IsAuthenticated],
        url_name="search-album",
    )
    @paginate(PageNumberPaginationExtra, page_size=50)
@@ -74,12 +72,7 @@ class AlbumController(ControllerBase):

@api_controller("/sas/picture")
 class PicturesController(ControllerBase):
-    @route.get(
-        "",
-        response=PaginatedResponseSchema[PictureSchema],
-        permissions=[IsAuthenticated],
-        url_name="pictures",
-    )
+    @route.get("", response=PaginatedResponseSchema[PictureSchema], url_name="pictures")
    @paginate(PageNumberPaginationExtra, page_size=100)
    def fetch_pictures(self, filters: Query[PictureFilterSchema]):
        """Find pictures viewable by the user corresponding to the given filters.
@@ -141,7 +134,7 @@ class PicturesController(ControllerBase):

    @route.get(
        "/{picture_id}/identified",
-        permissions=[IsAuthenticated, CanView],
+        permissions=[CanView],
        response=list[IdentifiedUserSchema],
    )
    def fetch_identifications(self, picture_id: int):
@@ -149,7 +142,7 @@ class PicturesController(ControllerBase):
        picture = self.get_object_or_exception(Picture, pk=picture_id)
        return picture.people.select_related("user")

-    @route.put("/{picture_id}/identified", permissions=[IsAuthenticated, CanView])
+    @route.put("/{picture_id}/identified", permissions=[CanView])
    def identify_users(self, picture_id: NonNegativeInt, users: set[NonNegativeInt]):
        picture = self.get_object_or_exception(
            Picture.objects.select_related("parent"), pk=picture_id
@@ -209,7 +202,7 @@ class PicturesController(ControllerBase):

@api_controller("/sas/relation", tags="User identification on SAS pictures")
 class UsersIdentifiedController(ControllerBase):
-    @route.delete("/{relation_id}", permissions=[IsAuthenticated])
+    @route.delete("/{relation_id}")
    def delete_relation(self, relation_id: NonNegativeInt):
        """Untag a user from a SAS picture.

--- a/sas/tests/test_api.py
+++ b/sas/tests/test_api.py
@@ -55,7 +55,7 @@ class TestPictureSearch(TestSas):

    def test_anonymous_user_forbidden(self):
        res = self.client.get(self.url)
-        assert res.status_code == 403
+        assert res.status_code == 401

    def test_filter_by_album(self):
        self.client.force_login(self.user_b)
@@ -148,7 +148,7 @@ class TestPictureRelation(TestSas):
        relation = PeoplePictureRelation.objects.exclude(user=self.user_a).first()

        res = self.client.delete(f"/api/sas/relation/{relation.id}")
-        assert res.status_code == 403
+        assert res.status_code == 401

        for user in baker.make(User), self.user_a:
            self.client.force_login(user)