test: Update tests to the new return code.

When including `JwtAuthentication`, the auth_header becomes `JWT
realm="api"`. Without it, it is `None`. This changes the behavior of the
code in DRF and returns a slightly different auth response.

Relevant Code: https://github.com/encode/django-rest-framework/blob/56946fac8f29aa44ce84391f138d63c4c8a2a285/rest_framework/views.py#L456C3-L456C3

lms/djangoapps/commerce/api/v0/tests/test_views.py

@@ -307,4 +307,4 @@ def test_login_required(self):
         """ The view should return 403 if the user is not logged in. """
         self.client.logout()
         response = self.client.get(self.path)
-        assert response.status_code == 403
+        assert response.status_code == 401

openedx/core/djangoapps/embargo/tests/test_views.py

@@ -148,7 +148,7 @@ def mock_country(reader, country):
     def test_course_access_endpoint_with_logged_out_user(self):
         self.client.logout()
         response = self.client.get(self.url, data=self.request_data)
-        assert response.status_code == 403
+        assert response.status_code == 401
 
     def test_course_access_endpoint_with_non_staff_user(self):
         user = UserFactory(is_staff=False)

openedx/core/djangoapps/user_api/tests/test_views.py

@@ -150,12 +150,12 @@ def test_delete_list_not_allowed(self):
         self.assertHttpMethodNotAllowed(self.request_with_auth("delete", self.LIST_URI))
 
     def test_list_unauthorized(self):
-        self.assertHttpForbidden(self.client.get(self.LIST_URI))
+        self.assertHttpNotAuthorized(self.client.get(self.LIST_URI))
 
     @override_settings(DEBUG=True)
     @override_settings(EDX_API_KEY=None)
     def test_debug_auth(self):
-        self.assertHttpForbidden(self.client.get(self.LIST_URI))
+        self.assertHttpNotAuthorized(self.client.get(self.LIST_URI))
 
     @override_settings(DEBUG=False)
     @override_settings(EDX_API_KEY=TEST_API_KEY)
@@ -164,7 +164,7 @@ def test_basic_auth(self):
         self.assertHttpOK(
             self.request_with_auth("get", self.LIST_URI,
                                    **self.basic_auth("someuser", "somepass")))
-        self.assertHttpForbidden(
+        self.assertHttpNotAuthorized(
             self.client.get(self.LIST_URI, **self.basic_auth("someuser", "somepass")))
 
     def test_get_list_nonempty(self):
@@ -236,12 +236,12 @@ def test_delete_list_not_allowed(self):
         self.assertHttpMethodNotAllowed(self.request_with_auth("delete", self.LIST_URI))
 
     def test_list_unauthorized(self):
-        self.assertHttpForbidden(self.client.get(self.LIST_URI))
+        self.assertHttpNotAuthorized(self.client.get(self.LIST_URI))
 
     @override_settings(DEBUG=True)
     @override_settings(EDX_API_KEY=None)
     def test_debug_auth(self):
-        self.assertHttpForbidden(self.client.get(self.LIST_URI))
+        self.assertHttpNotAuthorized(self.client.get(self.LIST_URI))
 
     @override_settings(DEBUG=False)
     @override_settings(EDX_API_KEY=TEST_API_KEY)
@@ -250,7 +250,7 @@ def test_basic_auth(self):
         self.assertHttpOK(
             self.request_with_auth("get", self.LIST_URI,
                                    **self.basic_auth('someuser', 'somepass')))
-        self.assertHttpForbidden(
+        self.assertHttpNotAuthorized(
             self.client.get(self.LIST_URI, **self.basic_auth('someuser', 'somepass')))
 
     def test_get_list_nonempty(self):
@@ -303,7 +303,7 @@ def test_delete_detail_not_allowed(self):
         self.assertHttpMethodNotAllowed(self.request_with_auth("delete", self.detail_uri))
 
     def test_get_detail_unauthorized(self):
-        self.assertHttpForbidden(self.client.get(self.detail_uri))
+        self.assertHttpNotAuthorized(self.client.get(self.detail_uri))
 
     def test_get_detail(self):
         user = self.users[1]
@@ -342,12 +342,12 @@ def test_delete_list_not_allowed(self):
         self.assertHttpMethodNotAllowed(self.request_with_auth("delete", self.LIST_URI))
 
     def test_list_unauthorized(self):
-        self.assertHttpForbidden(self.client.get(self.LIST_URI))
+        self.assertHttpNotAuthorized(self.client.get(self.LIST_URI))
 
     @override_settings(DEBUG=True)
     @override_settings(EDX_API_KEY=None)
     def test_debug_auth(self):
-        self.assertHttpForbidden(self.client.get(self.LIST_URI))
+        self.assertHttpNotAuthorized(self.client.get(self.LIST_URI))
 
     def test_get_list_nonempty(self):
         result = self.get_json(self.LIST_URI)
@@ -433,7 +433,7 @@ def test_delete_detail_not_allowed(self):
         self.assertHttpMethodNotAllowed(self.request_with_auth("delete", self.detail_uri))
 
     def test_detail_unauthorized(self):
-        self.assertHttpForbidden(self.client.get(self.detail_uri))
+        self.assertHttpNotAuthorized(self.client.get(self.detail_uri))
 
     def test_get_detail(self):
         pref = self.prefs[1]
@@ -466,12 +466,12 @@ def test_delete_not_allowed(self):
         self.assertHttpMethodNotAllowed(self.request_with_auth("delete", self.LIST_URI))
 
     def test_unauthorized(self):
-        self.assertHttpForbidden(self.client.get(self.LIST_URI))
+        self.assertHttpNotAuthorized(self.client.get(self.LIST_URI))
 
     @override_settings(DEBUG=True)
     @override_settings(EDX_API_KEY=None)
     def test_debug_auth(self):
-        self.assertHttpForbidden(self.client.get(self.LIST_URI))
+        self.assertHttpNotAuthorized(self.client.get(self.LIST_URI))
 
     def test_get_basic(self):
         result = self.get_json(self.LIST_URI)
@@ -583,8 +583,8 @@ def test_update_email_opt_in_inactive_user(self):
 
     def test_update_email_opt_in_anonymous_user(self):
         """
-        Test that an anonymous user gets 403 response when
-        updating email optin preference.
+        Test that an anonymous user gets 401 response when
+        updating email opt-in preference.
         """
         self.client.logout()
         response = self.client.post(self.url, {

openedx/core/lib/api/test_utils.py

@@ -64,6 +64,10 @@ def assertHttpCreated(self, response):
         """Assert that the given response has the status code 201"""
         assert response.status_code == 201
 
+    def assertHttpNotAuthorized(self, response):
+        """Assert that the given response has the status code 401"""
+        assert response.status_code == 401
+
     def assertHttpForbidden(self, response):
         """Assert that the given response has the status code 403"""
         assert response.status_code == 403