♻️(backend) replace Django permissions with feature flag decorator

Refactor feature flag mechanism from Django permission classes to custom decorator that returns 404 Not Found when features are disabled instead of exposing API structure through permission errors. Improves security by preventing information disclosure about disabled features and provides more appropriate response semantics. Custom decorator approach is better suited for feature toggling than Django's permission system which is designed for authorization.
2025-09-08 13:17:03 +02:00
parent 58722cab00
commit 8044e3d6d8
7 changed files with 62 additions and 45 deletions
--- a/src/backend/core/tests/recording/test_api_recordings_storage_hook.py
+++ b/src/backend/core/tests/recording/test_api_recordings_storage_hook.py
@@ -77,7 +77,8 @@ def test_save_recording_permission_needed(settings, client):
        HTTP_AUTHORIZATION="Bearer testAuthToken",
    )

-    assert response.status_code == 403
+    assert response.status_code == 404
+    assert response.json() == {"detail": "Not found."}


 def test_save_recording_parsing_error(recording_settings, mock_get_parser, client):
--- a/src/backend/core/tests/rooms/test_api_rooms_start_recording.py
+++ b/src/backend/core/tests/rooms/test_api_rooms_start_recording.py
@@ -55,8 +55,9 @@ def test_start_recording_anonymous():
    assert Recording.objects.count() == 0


-def test_start_recording_non_owner_and_non_administrator():
+def test_start_recording_non_owner_and_non_administrator(settings):
    """Non-owner and Non-Administrator users should not be allowed to start room recordings."""
+    settings.RECORDING_ENABLE = True
    room = RoomFactory()
    user = UserFactory()
    client = APIClient()
@@ -88,8 +89,8 @@ def test_start_recording_recording_disabled(settings):
        {"mode": "screen_recording"},
    )

-    assert response.status_code == 403
-    assert response.json() == {"detail": "Access denied, recording is disabled."}
+    assert response.status_code == 404
+    assert response.json() == {"detail": "Not found."}
    assert Recording.objects.count() == 0


--- a/src/backend/core/tests/rooms/test_api_rooms_stop_recording.py
+++ b/src/backend/core/tests/rooms/test_api_rooms_stop_recording.py
@@ -54,8 +54,9 @@ def test_stop_recording_anonymous():
    assert Recording.objects.filter(status=RecordingStatusChoices.ACTIVE).count() == 1


-def test_stop_recording_non_owner_and_non_administrator():
+def test_stop_recording_non_owner_and_non_administrator(settings):
    """Non-owner and Non-Administrator users should not be allowed to stop room recordings."""
+    settings.RECORDING_ENABLE = True
    room = RoomFactory()
    user = UserFactory()
    RecordingFactory(room=room, status=RecordingStatusChoices.ACTIVE)
@@ -84,8 +85,8 @@ def test_stop_recording_recording_disabled(settings):

    response = client.post(f"/api/v1.0/rooms/{room.id}/stop-recording/")

-    assert response.status_code == 403
-    assert response.json() == {"detail": "Access denied, recording is disabled."}
+    assert response.status_code == 404
+    assert response.json() == {"detail": "Not found."}
    # Verify no recording exists
    assert Recording.objects.count() == 0

--- a/src/backend/core/tests/rooms/test_api_rooms_subtitle.py
+++ b/src/backend/core/tests/rooms/test_api_rooms_subtitle.py
@@ -128,8 +128,8 @@ def test_start_subtitle_disabled_by_default(mock_livekit_token):
        {"token": mock_livekit_token},
    )

-    assert response.status_code == 403
-    assert response.json() == {"detail": "Access denied, subtitles are disabled."}
+    assert response.status_code == 404
+    assert response.json() == {"detail": "Not found."}


 def test_start_subtitle_valid_token(