[PATCH 1/2] REST: Validate patch delegate
Stephen Finucane
stephen at that.guru
Sun Oct 14 02:46:14 AEDT 2018
At present, only users who are maintainers of projects can be delegated
a project. Validate this. This is currently broken due to #216 but that
will be fixed in a future change.
Signed-off-by: Stephen Finucane <stephen at that.guru>
---
patchwork/api/patch.py | 9 +++++++++
patchwork/tests/api/test_patch.py | 18 +++++++++++++++---
2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/patchwork/api/patch.py b/patchwork/api/patch.py
index 1e647283..b9a134b1 100644
--- a/patchwork/api/patch.py
+++ b/patchwork/api/patch.py
@@ -11,6 +11,7 @@ from rest_framework.generics import RetrieveUpdateAPIView
from rest_framework.relations import RelatedField
from rest_framework.reverse import reverse
from rest_framework.serializers import SerializerMethodField
+from rest_framework.serializers import ValidationError
from patchwork.api.base import BaseHyperlinkedModelSerializer
from patchwork.api.base import PatchworkPermission
@@ -99,6 +100,14 @@ class PatchListSerializer(BaseHyperlinkedModelSerializer):
# model
return {}
+ def validate_delegate(self, value):
+ """Check that the delgate is a maintainer of the patch's project."""
+ if not self.instance.project.maintainer_project.filter(
+ id=value.id).exists():
+ raise ValidationError("User '%s' is not a maintainer for project "
+ "'%s'" % (value, self.instance.project))
+ return value
+
class Meta:
model = Patch
fields = ('id', 'url', 'web_url', 'project', 'msgid', 'date', 'name',
diff --git a/patchwork/tests/api/test_patch.py b/patchwork/tests/api/test_patch.py
index 3d6dad9c..53099256 100644
--- a/patchwork/tests/api/test_patch.py
+++ b/patchwork/tests/api/test_patch.py
@@ -204,12 +204,15 @@ class TestPatchAPI(APITestCase):
# maintainer
user = create_maintainer(project)
self.client.force_authenticate(user=user)
- resp = self.client.patch(self.api_url(patch.id), {'state': state.name})
- self.assertEqual(status.HTTP_200_OK, resp.status_code)
+ resp = self.client.patch(self.api_url(patch.id), {
+ 'state': state.name, 'delegate': user.id})
+ self.assertEqual(status.HTTP_200_OK, resp.status_code, resp)
self.assertEqual(Patch.objects.get(id=patch.id).state, state)
+ # TODO(stephenfin): This is currently broken due to #216
+ # self.assertEqual(Patch.objects.get(id=patch.id).delegate, user)
def test_update_invalid(self):
- """Ensure we handle invalid Patch states."""
+ """Ensure we handle invalid Patch updates."""
project = create_project()
state = create_state()
patch = create_patch(project=project, state=state)
@@ -222,6 +225,15 @@ class TestPatchAPI(APITestCase):
self.assertContains(resp, 'Expected one of: %s.' % state.name,
status_code=status.HTTP_400_BAD_REQUEST)
+ # invalid delegate
+ user_b = create_user()
+ resp = self.client.patch(self.api_url(patch.id),
+ {'delegate': user_b.id})
+ # TODO(stephenfin): This is currently broken due to #216
+ # self.assertEqual(status.HTTP_400_BAD_REQUEST, resp.status_code)
+ # self.assertContains(resp, "User '%s' is not a maintainer" % user_b,
+ # status_code=status.HTTP_400_BAD_REQUEST)
+
def test_delete(self):
"""Ensure deletions are always rejected."""
project = create_project()
--
2.17.1
More information about the Patchwork
mailing list