[PATCH v6 03/10] REST: Add Projects to the API

Mon Jun 20 05:21:10 AEST 2016

On 16 Jun 16:13, Andy Doan wrote:
> This exports projects via the REST API.
> 
> Security Constraints:
>  * Anyone (logged in or not) can read all objects.
>  * No one can create/delete objects.
>  * Project maintainers are allowed to update (ie "patch"
>    attributes)
> 
> Signed-off-by: Andy Doan <andy.doan at linaro.org>
> Inspired-by: Damien Lespiau <damien.lespiau at intel.com>
> Reviewed-by: Stephen Finucane <stephen.finucane at intel.com>

Still OK, though I have to make some changes to the tests when
running the entire test suite (rather that just the REST API tests).

Stephen

> +    def test_detail(self):
> +        """Validate we can get a specific project."""
> +        defaults.project.save()
> +        resp = self.client.get(self.api_url(1))

I changed the above to use 'self.api_url(defaults.project.id)'. As it
was, you couldn't be sure that there wouldn't be existing project
objects.

> +        self.assertEqual(status.HTTP_200_OK, resp.status_code)
> +        self.assertEqual(defaults.project.name, resp.data['name'])
> +
> +    def test_anonymous_create(self):
> +        """Ensure anonymous POST operations are rejected."""
> +        defaults.project.save()
> +        resp = self.client.post(
> +            self.api_url(),
> +            {'linkname': 'l', 'name': 'n', 'listid': 'l', 'listemail': 'e'})
> +        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
> +
> +    def test_anonymous_update(self):
> +        """Ensure anonymous "PATCH" operations are rejected."""
> +        defaults.project.save()
> +        resp = self.client.patch(self.api_url(1), {'linkname': 'foo'})
> +        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
> +
> +    def test_anonymous_delete(self):
> +        """Ensure anonymous "DELETE" operations are rejected."""
> +        defaults.project.save()
> +        resp = self.client.delete(self.api_url(1))
> +        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
> +
> +    def test_create(self):
> +        """Ensure creations are rejected."""
> +        defaults.project.save()
> +
> +        user = create_maintainer(defaults.project)
> +        user.is_superuser = True
> +        user.save()
> +        self.client.force_authenticate(user=user)
> +        resp = self.client.post(
> +            self.api_url(),
> +            {'linkname': 'l', 'name': 'n', 'listid': 'l', 'listemail': 'e'})
> +        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
> +
> +    def test_update(self):
> +        """Ensure updates can be performed maintainers."""
> +        defaults.project.save()
> +
> +        # A maintainer can update
> +        user = create_maintainer(defaults.project)
> +        self.client.force_authenticate(user=user)
> +        resp = self.client.patch(self.api_url(1), {'linkname': 'TEST'})

Ditto.

> +        self.assertEqual(status.HTTP_200_OK, resp.status_code)
> +
> +        # A normal user can't
> +        user = create_user()
> +        self.client.force_authenticate(user=user)
> +        resp = self.client.patch(self.api_url(1), {'linkname': 'TEST'})

Ditto.