[API] Make the GET /resources endpoint public

[lpatmo]

Context

Right now, on the front-end, we need to pass in a token (i.e. the user needs to be logged in) before they can see a list of resource.

 axios
      .get('/api/v1/resources', {
        headers: {
          Authorization: `Bearer ${authContext.authTokens.token}`,
        },
      })

This should be true for when users are creating a resource, but the list of resources on https://cb-react-concept.netlify.com/resources should be available to the public.

Acceptance Criteria

[ ] Make GET /resources not protected by authorization
[ ] Change setup for tests to make sure we're not authed for the GET requests, but are authed for POST, PATCH, and search.
[ ] Add test to make sure GET /api/v1/resources/{{guid}}/ and GET /api/v1/resources/ requests and search work without a token
[ ] Add/alter tests for GET GET /api/v1/resources/{{guid}}/ and GET /api/v1/resources/ requests and search to ensure that they also work with a token
[ ] Add tests to make sure PATCH and POST fail without a token
[ ] Add test to make sure DEL fails without a token

[chris48s]

If you wanted to use this as an issue to walk someone through their first contribution, this should be close to a one-line change to the API code:

https://www.django-rest-framework.org/api-guide/permissions/#isauthenticatedorreadonly

from rest_framework import permissions

class ResourceView():
    permission_classes = [permissions.IsAuthenticatedOrReadOnly]
    #...

• Set up a dev environment
• Make that change
• Write a test
• Submit a PR

probably fits nicely into a 1 hour hangout.

[lpatmo]

probably fits nicely into a 1 hour hangout.

That's a GREAT idea!! I will raise it up in #codebuddies-meta.

I could actually use some guidance on how to write a test for this, heh. We're primarily testing that the GET /resources endpoint works without passing in an auth token, right?

[lpatmo]

Confirmed that IsAuthenticatedOrReadOnly works! 🎆Yay.

Updated the acceptance criteria with some ideas for tests (h/t @BethanyG for suggesting in #codebuddies-meta):

[ ] Change setup for tests to make sure we're not authed for the GET or search requests, but are authed for POST and PATCH
[ ] Add test to make sure GET /api/v1/resources/{{guid}}/ and GET /api/v1/resources/ requests and search work without a token
[ ] Add/alter tests for GET GET /api/v1/resources/{{guid}}/ and GET /api/v1/resources/ requests and search to ensure that they also work with a token
[ ] Add tests to make sure PATCH and POST fail without a token
[ ] Add test to make sure DEL fails without a token

[chris48s]

I could actually use some guidance on how to write a test for this

Reading your next post plus slack, it looks like you've already figured it out tbh :)

[lpatmo]

🤞🤞:)

[lpatmo]

PR: #134