[PATCH] REST: Don't allow settings of some project fields
Stephen Finucane
stephen at that.guru
Sun Oct 14 03:10:49 AEDT 2018
These should only be configurable by superusers as invalid configuration
can break things.
Signed-off-by: Stephen Finucane <stephen at that.guru>
---
This is a bug so I'm going to backport it as-is.
---
patchwork/api/project.py | 9 +++++----
patchwork/tests/api/test_project.py | 11 ++++++++++-
.../disable-project-fields-6412780e8de80e1c.yaml | 6 ++++++
3 files changed, 21 insertions(+), 5 deletions(-)
create mode 100644 releasenotes/notes/disable-project-fields-6412780e8de80e1c.yaml
diff --git a/patchwork/api/project.py b/patchwork/api/project.py
index deef2907..7c1682a4 100644
--- a/patchwork/api/project.py
+++ b/patchwork/api/project.py
@@ -16,9 +16,9 @@ from patchwork.models import Project
class ProjectSerializer(BaseHyperlinkedModelSerializer):
- link_name = CharField(max_length=255, source='linkname')
- list_id = CharField(max_length=255, source='listid')
- list_email = CharField(max_length=200, source='listemail')
+ link_name = CharField(max_length=255, source='linkname', read_only=True)
+ list_id = CharField(max_length=255, source='listid', read_only=True)
+ list_email = CharField(max_length=200, source='listemail', read_only=True)
maintainers = UserProfileSerializer(many=True, read_only=True,
source='maintainer_project')
@@ -27,7 +27,8 @@ class ProjectSerializer(BaseHyperlinkedModelSerializer):
fields = ('id', 'url', 'name', 'link_name', 'list_id', 'list_email',
'web_url', 'scm_url', 'webscm_url', 'maintainers',
'subject_match')
- read_only_fields = ('name', 'maintainers', 'subject_match')
+ read_only_fields = ('name', 'name', 'link_name', 'list_id',
+ 'list_email', 'maintainers', 'subject_match')
versioned_fields = {
'1.1': ('subject_match', ),
}
diff --git a/patchwork/tests/api/test_project.py b/patchwork/tests/api/test_project.py
index a4a93965..557c1e07 100644
--- a/patchwork/tests/api/test_project.py
+++ b/patchwork/tests/api/test_project.py
@@ -129,7 +129,7 @@ class TestProjectAPI(APITestCase):
def test_update(self):
"""Ensure updates can be performed by maintainers."""
project = create_project()
- data = {'linkname': 'TEST'}
+ data = {'web_url': 'TEST'}
# an anonymous user
resp = self.client.patch(self.api_url(project.id), data)
@@ -146,6 +146,15 @@ class TestProjectAPI(APITestCase):
self.client.force_authenticate(user=user)
resp = self.client.patch(self.api_url(project.id), data)
self.assertEqual(status.HTTP_200_OK, resp.status_code)
+ self.assertEqual(resp.data['web_url'], 'TEST')
+
+ # ...with the exception of some read-only fields
+ resp = self.client.patch(self.api_url(project.id), {
+ 'link_name': 'test'})
+ # NOTE(stephenfin): This actually returns HTTP 200 due to
+ # https://github.com/encode/django-rest-framework/issues/1655
+ self.assertEqual(status.HTTP_200_OK, resp.status_code)
+ self.assertNotEqual(resp.data['link_name'], 'test')
def test_delete(self):
"""Ensure deletions are rejected."""
diff --git a/releasenotes/notes/disable-project-fields-6412780e8de80e1c.yaml b/releasenotes/notes/disable-project-fields-6412780e8de80e1c.yaml
new file mode 100644
index 00000000..c429f546
--- /dev/null
+++ b/releasenotes/notes/disable-project-fields-6412780e8de80e1c.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - |
+ A project's ``list_email``, ``list_id`` and ``link_name`` fields can no
+ longer be updated by via the REST API. This is a superuser-only operation
+ that, for now, should only be done via the admin interface.
--
2.17.1
More information about the Patchwork
mailing list