From a2df6ff7bdfe0e739a2032e691ec1150354873cc Mon Sep 17 00:00:00 2001
From: Christian Cueni <christian.cueni@iterativ.ch>
Date: Thu, 27 May 2021 09:52:06 +0200
Subject: [PATCH] Update middleware & tests

---
 server/core/tests/test_api.py | 7 +++----
 server/core/utils.py          | 3 +++
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/core/tests/test_api.py b/server/core/tests/test_api.py
index c61e8325..4df982cc 100644
--- a/server/core/tests/test_api.py
+++ b/server/core/tests/test_api.py
@@ -16,11 +16,10 @@ class ApiAccessTestCase(TestCase):
     def test_graphqlEndpoint_shouldNotBeAccessibleWithoutLogin(self):
         c = Client()
         response = c.post('/api/graphql/', data=self.query, content_type='application/json')
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, '/login?next=/api/graphql/')
+        self.assertEqual(response.status_code, 402)
 
-    def test_graphqlEndpoint_shouldBeAccessibleWithLogin(self):
-        UserFactory(username='admin')
+    def test_graphqlEndpoint_shouldBeAccessibleForSuperUser(self):
+        UserFactory(username='admin', is_staff=True, is_active=True, is_superuser=True)
 
         c = Client()
         c.login(username='admin', password='test')
diff --git a/server/core/utils.py b/server/core/utils.py
index d27b8ca3..526c931a 100644
--- a/server/core/utils.py
+++ b/server/core/utils.py
@@ -28,6 +28,9 @@ def is_private_api_call_allowed(user, body):
     # logged in users should only be able to access all resources if they have a valid license
     # logged in users without valid license have only access to logout, me & coupon mutations
 
+    if user.is_superuser:
+        return True
+
     body_unicode = body.decode('utf-8')
 
     try: