[RFC 2/2] REST: Add Projects to the REST API

Andy Doan andy.doan at linaro.org
Thu Mar 17 03:13:27 AEDT 2016 

This exports projects via the REST API.

Security Constraints:
 * Anyone (logged in or not) can read all projects.
 * Only admins can create/delete projects.
 * Project maintainers are allowed to update (ie "patch" project
   attributes)

Signed-off-by: Andy Doan <andy.doan at linaro.org>
Inspired-by: Damien Lespiau <damien.lespiau at intel.com>
---
 patchwork/tests/test_rest_api.py | 126 +++++++++++++++++++++++++++++++++++++++
 patchwork/views/rest_api.py      |  32 +++++++++-
 2 files changed, 157 insertions(+), 1 deletion(-)
 create mode 100644 patchwork/tests/test_rest_api.py

diff --git a/patchwork/tests/test_rest_api.py b/patchwork/tests/test_rest_api.py
new file mode 100644
index 0000000..64c7615
--- /dev/null
+++ b/patchwork/tests/test_rest_api.py
@@ -0,0 +1,126 @@
+# Patchwork - automated patch tracking system
+# Copyright (C) 2008 Jeremy Kerr <jk at ozlabs.org>
+# Copyright (C) 2016 Linaro Corporation
+#
+# This file is part of the Patchwork package.
+#
+# Patchwork is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Patchwork is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Patchwork; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+import unittest
+
+from django.conf import settings
+from django.test import TestCase
+
+from rest_framework.test import APIClient
+
+from patchwork.models import Project
+from patchwork.tests.utils import defaults, create_maintainer, create_user
+
+
+ at unittest.skipUnless(settings.ENABLE_REST_API, 'requires ENABLE_REST_API')
+class TestProjectAPI(TestCase):
+    fixtures = ['default_states']
+
+    def test_list_simple(self):
+        """Validate we can list the default test project."""
+        defaults.project.save()
+        client = APIClient()
+        resp = client.get('/api/1.0/projects/')
+        self.assertEqual(200, resp.status_code)
+        self.assertEqual(1, len(resp.data))
+        proj = resp.data[0]
+        self.assertEqual(defaults.project.linkname, proj['linkname'])
+        self.assertEqual(defaults.project.name, proj['name'])
+        self.assertEqual(defaults.project.listid, proj['listid'])
+
+    def test_get(self):
+        """Validate we can get a specific project."""
+        defaults.project.save()
+        client = APIClient()
+        resp = client.get('/api/1.0/projects/1/')
+        self.assertEqual(200, resp.status_code)
+        self.assertEqual(defaults.project.name, resp.data['name'])
+
+    def test_anonymous_writes(self):
+        """Ensure anonymous "write" operations are rejected."""
+        defaults.project.save()
+        client = APIClient()
+        # create
+        resp = client.post(
+            '/api/1.0/projects/',
+            {'linkname': 'l', 'name': 'n', 'listid': 'l', 'listemail': 'e'})
+        self.assertEqual(403, resp.status_code)
+        # update
+        resp = client.patch('/api/1.0/projects/1/', {'linkname': 'foo'})
+        self.assertEqual(403, resp.status_code)
+        # delete
+        resp = client.delete('/api/1.0/projects/1/')
+        self.assertEqual(403, resp.status_code)
+
+    def test_create(self):
+        """Ensure creations can be performed admins."""
+        defaults.project.save()
+        client = APIClient()
+
+        user = create_maintainer(defaults.project)
+        client.force_authenticate(user=user)
+        resp = client.post(
+            '/api/1.0/projects/',
+            {'linkname': 'l', 'name': 'n', 'listid': 'l', 'listemail': 'e'})
+        self.assertEqual(403, resp.status_code)
+
+        user.is_superuser = True
+        user.save()
+        client.force_authenticate(user=user)
+        resp = client.post(
+            '/api/1.0/projects/',
+            {'linkname': 'l', 'name': 'n', 'listid': 'l', 'listemail': 'e'})
+        self.assertEqual(201, resp.status_code)
+        self.assertEqual(2, Project.objects.all().count())
+
+    def test_update(self):
+        """Ensure updates can be performed maintainers."""
+        defaults.project.save()
+        client = APIClient()
+
+        # A maintainer can update
+        user = create_maintainer(defaults.project)
+        client.force_authenticate(user=user)
+        resp = client.patch('/api/1.0/projects/1/', {'linkname': 'TEST'})
+        self.assertEqual(200, resp.status_code)
+
+        # A normal user can't
+        user = create_user()
+        client.force_authenticate(user=user)
+        resp = client.patch('/api/1.0/projects/1/', {'linkname': 'TEST'})
+        self.assertEqual(403, resp.status_code)
+
+    def test_delete(self):
+        """Ensure deletions can be performed admins."""
+        defaults.project.save()
+        client = APIClient()
+
+        # A maintainer can't remove a project
+        user = create_maintainer(defaults.project)
+        client.force_authenticate(user=user)
+        resp = client.delete('/api/1.0/projects/1/')
+        self.assertEqual(403, resp.status_code)
+
+        # An admin can
+        user.is_superuser = True
+        user.save()
+        client.force_authenticate(user=user)
+        resp = client.delete('/api/1.0/projects/1/')
+        self.assertEqual(204, resp.status_code)
diff --git a/patchwork/views/rest_api.py b/patchwork/views/rest_api.py
index a39bcf4..20d4523 100644
--- a/patchwork/views/rest_api.py
+++ b/patchwork/views/rest_api.py
@@ -18,6 +18,36 @@
 # along with Patchwork; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
-from rest_framework import routers
+from patchwork.models import Project
+
+from rest_framework import permissions, routers, serializers, viewsets
+
+
+class MaintainerPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.method in ('POST', 'DELETE'):
+            # only administrators can create and delete entities
+            user = request.user
+            return user.is_authenticated() and user.is_superuser
+        return super(MaintainerPermission, self).has_permission(request, view)
+
+    def has_object_permission(self, request, view, obj):
+        # read only for everyone
+        if request.method in permissions.SAFE_METHODS:
+            return True
+        return obj.is_editable(request.user)
+
+
+class ProjectSerializer(serializers.HyperlinkedModelSerializer):
+    class Meta:
+        model = Project
+
+
+class ProjectViewSet(viewsets.ModelViewSet):
+    permission_classes = (MaintainerPermission, )
+    queryset = Project.objects.all()
+    serializer_class = ProjectSerializer
+
 
 router = routers.DefaultRouter()
+router.register('projects', ProjectViewSet)
-- 
2.7.0

More information about the Patchwork mailing list