[PATCHv2 04/10] REST: Add Persons to the API

Andy Doan andy.doan at linaro.org
Wed May 11 08:39:21 AEST 2016 

This exports person objects via the REST API.

Security Constraints:
 * The API is read-only to authenticated users

Signed-off-by: Andy Doan <andy.doan at linaro.org>
---
 patchwork/rest_serializers.py    |  7 ++++++-
 patchwork/tests/test_rest_api.py | 41 ++++++++++++++++++++++++++++++++++++++++
 patchwork/views/rest_api.py      | 26 ++++++++++++++++++++-----
 3 files changed, 68 insertions(+), 6 deletions(-)

diff --git a/patchwork/rest_serializers.py b/patchwork/rest_serializers.py
index b399d79..60633b4 100644
--- a/patchwork/rest_serializers.py
+++ b/patchwork/rest_serializers.py
@@ -17,11 +17,16 @@
 # along with Patchwork; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
-from patchwork.models import Project
+from patchwork.models import Person, Project
 
 from rest_framework.serializers import ModelSerializer
 
 
+class PersonSerializer(ModelSerializer):
+    class Meta:
+        model = Person
+
+
 class ProjectSerializer(ModelSerializer):
     class Meta:
         model = Project
diff --git a/patchwork/tests/test_rest_api.py b/patchwork/tests/test_rest_api.py
index 693e896..06856e3 100644
--- a/patchwork/tests/test_rest_api.py
+++ b/patchwork/tests/test_rest_api.py
@@ -113,3 +113,44 @@ class TestProjectAPI(APITestCase):
         resp = self.client.delete(self.api_url(1))
         self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
         self.assertEqual(1, Project.objects.all().count())
+
+
+ at unittest.skipUnless(settings.ENABLE_REST_API, 'requires ENABLE_REST_API')
+class TestPersonAPI(APITestCase):
+    fixtures = ['default_states']
+
+    def api_url(self, item=None):
+        if item is None:
+            return reverse('api_1.0:person-list')
+        return reverse('api_1.0:person-detail', args=[item])
+
+    def test_anonymous_list(self):
+        """The API should reject anonymous users."""
+        resp = self.client.get(self.api_url())
+        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
+
+    def test_authenticated_list(self):
+        """This API requires authenticated users."""
+        user = create_user()
+        self.client.force_authenticate(user=user)
+        resp = self.client.get(self.api_url())
+        self.assertEqual(status.HTTP_200_OK, resp.status_code)
+        self.assertEqual(1, resp.data['count'])
+        self.assertEqual(user.username, resp.data['results'][0]['name'])
+        self.assertEqual(user.email, resp.data['results'][0]['email'])
+
+    def test_readonly(self):
+        defaults.project.save()
+        user = create_maintainer(defaults.project)
+        user.is_superuser = True
+        user.save()
+        self.client.force_authenticate(user=user)
+
+        resp = self.client.delete(self.api_url(1))
+        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
+
+        resp = self.client.patch(self.api_url(1), {'email': 'foo at f.com'})
+        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
+
+        resp = self.client.post(self.api_url(), {'email': 'foo at f.com'})
+        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
diff --git a/patchwork/views/rest_api.py b/patchwork/views/rest_api.py
index 33fd63b..6aad9d5 100644
--- a/patchwork/views/rest_api.py
+++ b/patchwork/views/rest_api.py
@@ -17,8 +17,7 @@
 # along with Patchwork; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
-from patchwork.models import Project
-from patchwork.rest_serializers import ProjectSerializer
+from patchwork.rest_serializers import ProjectSerializer, PersonSerializer
 
 from rest_framework import permissions
 from rest_framework.pagination import PageNumberPagination
@@ -46,12 +45,29 @@ class PatchworkPermission(permissions.BasePermission):
         return obj.is_editable(request.user)
 
 
-class ProjectViewSet(ModelViewSet):
+class AuthenticatedReadOnly(permissions.BasePermission):
+    def has_permission(self, request, view):
+        authenticated = request.user.is_authenticated()
+        return authenticated and request.method in permissions.SAFE_METHODS
+
+
+class PatchworkViewSet(ModelViewSet):
+    pagination_class = PageSizePagination
+
+    def get_queryset(self):
+        return self.serializer_class.Meta.model.objects.all()
+
+
+class PeopleViewSet(PatchworkViewSet):
+    permission_classes = (AuthenticatedReadOnly,)
+    serializer_class = PersonSerializer
+
+
+class ProjectViewSet(PatchworkViewSet):
     permission_classes = (PatchworkPermission,)
-    queryset = Project.objects.all()
     serializer_class = ProjectSerializer
-    pagination_class = PageSizePagination
 
 
 router = DefaultRouter()
+router.register('people', PeopleViewSet, 'person')
 router.register('projects', ProjectViewSet, 'project')
-- 
2.7.4

More information about the Patchwork mailing list