Patch request not patching - 403 returned - django rest framework

Question

I'm trying to test an API endpoint with a patch request to ensure it works.

I'm using APILiveServerTestCase but can't seem to get the permissions required to patch the item. I created one user (adminuser) who is a superadmin with access to everything and all permissions.

My test case looks like this:

class FutureVehicleURLTest(APILiveServerTestCase):
    def setUp(self):
        # Setup users and some vehicle data we can query against
        management.call_command("create_users_and_vehicle_data", verbosity=0)
        self.user = UserFactory()
        self.admin_user = User.objects.get(username="adminuser")
        self.future_vehicle = f.FutureVehicleFactory(
            user=self.user,
            last_updated_by=self.user,
        )
        self.vehicle = f.VehicleFactory(
            user=self.user,
            created_by=self.user,
            modified_by=self.user,
        )
        self.url = reverse("FutureVehicles-list")
        self.full_url = self.live_server_url + self.url
        time = str(datetime.now())
        self.form_data = {
            "signature": "TT",
            "purchasing": True,
            "confirmed_at": time,
        }

I've tried this test a number of different ways - all giving the same result (403).

I have setup the python debugger in the test, and I have tried actually going to http://localhost:xxxxx/admin/ in the browser and logging in manually with any user but the page just refreshes when I click to login and I never get 'logged in' to see the admin. I'm not sure if that's because it doesn't completely work from within a debugger like that or not.

My test looks like this (using the Requests library):

    def test_patch_request_updates_object(self):
        data_dict = {
            "signature": "TT",
            "purchasing": "true",
            "confirmed_at": datetime.now().strftime("%m/%d/%Y, %H:%M:%S"),
        }
        url = self.full_url + str(self.future_vehicle.id) + "/"
        client = requests.Session()
        client.auth = HTTPBasicAuth(self.admin_user.username, "test")
        client.headers.update({"x-test": "true"})
        response = client.get(self.live_server_url + "/admin/")
        csrftoken = response.cookies["csrftoken"]
        # interact with the api
        response = client.patch(
            url,
            data=json.dumps(data_dict),
            cookies=response.cookies,
            headers={
                "X-Requested-With": "XMLHttpRequest",
                "X-CSRFTOKEN": csrftoken,
            },
        )
        # RESPONSE GIVES 403 PERMISSION DENIED
        fte_future_vehicle = FutureVehicle.objects.filter(
            id=self.future_vehicle.id
        ).first()
        # THIS ERRORS WITH '' not equal to 'TT'
        self.assertEqual(fte_future_vehicle.signature, "TT")

I have tried it very similarly to the documentation using APIRequestFactory and forcing authentication:

    def test_patch_request_updates_object(self):
        data_dict = {
            "signature": "TT",
            "purchasing": "true",
            "confirmed_at": datetime.now().strftime("%m/%d/%Y, %H:%M:%S"),
        }
        url = self.full_url + str(self.future_vehicle.id) + "/"
        api_req_factory = APIRequestFactory()
        view = FutureVehicleViewSet.as_view({"patch": "partial_update"})
        api_request = api_req_factory.patch(
            url, json.dumps(data_dict), content_type="application/json"
        )
        force_authenticate(api_request, self.admin_user)
        response = view(api_request, pk=self.future_assignment.id)
        fte_future_assignment = FutureVehicle.objects.filter(
            id=self.future_assignment.id
        ).first()
        self.assertEqual(fte_future_assignment.signature, "TT")

If I enter the debugger to look at the responses, it's always a 403.

The viewset itself is very simple:

class FutureVehicleViewSet(ModelViewSet):
    serializer_class = FutureVehicleSerializer

    def get_queryset(self):
        queryset = FutureVehicle.exclude_denied.all()
        user_id = self.request.query_params.get("user_id", None)
        if user_id:
            queryset = queryset.filter(user_id=user_id)
        return queryset

The serializer is just as basic as it gets - it's just the FutureVehicle model and all fields.

I just can't figure out why my user won't login - or if maybe I'm doing something wrong in my attempts to patch?

I'm pretty new to Django Rest Framework in general, so any guidances is helpful!

Edit to add - my DRF Settings look like this:

REST_FRAMEWORK = {
    "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.LimitOffsetPagination",
    "DATETIME_FORMAT": "%m/%d/%Y - %I:%M:%S %p",
    "DATE_INPUT_FORMATS": ["%Y-%m-%d"],
    "DEFAULT_AUTHENTICATION_CLASSES": [
        # Enabling this it will require Django Session (Including CSRF)
        "rest_framework.authentication.SessionAuthentication"
    ],
    "DEFAULT_PERMISSION_CLASSES": [
        # Globally only allow IsAuthenticated users access to API Endpoints
        "rest_framework.permissions.IsAuthenticated"
    ],
}

I'm certain adminuser is the user we wish to login - if I go into the debugger and check the users, they exist as a user. During creation, any user created has a password set to 'test'.

Answer 1

Recommended Solution

The test you have written is also testing the Django framework logic (ie: Django admin login). I recommend testing your own functionality, which occurs after login to the Django admin. Django's testing framework offers a helper for logging into the admin, client.login. This allows you to focus on testing your own business logic/not need to maintain internal django authentication business logic tests, which may change release to release.

from django.test import TestCase, Client


def TestCase():
   client.login(username=self.username, password=self.password)

Alternative Solution

However, if you must replicate and manage the business logic of what client.login is doing, here's some of the business logic from Django:

    def login(self, **credentials):
        """
        Set the Factory to appear as if it has successfully logged into a site.
        Return True if login is possible or False if the provided credentials
        are incorrect.
        """
        from django.contrib.auth import authenticate
        user = authenticate(**credentials)
        if user:
            self._login(user)
            return True
        return False

    def force_login(self, user, backend=None):
        def get_backend():
            from django.contrib.auth import load_backend
            for backend_path in settings.AUTHENTICATION_BACKENDS:
                backend = load_backend(backend_path)
                if hasattr(backend, 'get_user'):
                    return backend_path

        if backend is None:
            backend = get_backend()
        user.backend = backend
        self._login(user, backend)

    def _login(self, user, backend=None):
        from django.contrib.auth import login

        # Create a fake request to store login details.
        request = HttpRequest()
        if self.session:
            request.session = self.session
        else:
            engine = import_module(settings.SESSION_ENGINE)
            request.session = engine.SessionStore()
        login(request, user, backend)
        # Save the session values.
        request.session.save()
        # Set the cookie to represent the session.
        session_cookie = settings.SESSION_COOKIE_NAME
        self.cookies[session_cookie] = request.session.session_key
        cookie_data = {
            'max-age': None,
            'path': '/',
            'domain': settings.SESSION_COOKIE_DOMAIN,
            'secure': settings.SESSION_COOKIE_SECURE or None,
            'expires': None,
        }
        self.cookies[session_cookie].update(cookie_data)

References:

Django client.login: https://github.com/django/django/blob/main/django/test/client.py#L596-L646