diff options
| author | Stephen Finucane <stephen@that.guru> | 2018-10-13 17:10:49 +0100 |
|---|---|---|
| committer | Stephen Finucane <stephen@that.guru> | 2018-10-14 14:59:42 +0100 |
| commit | 530999bf7c286bd3990e63790958338ef65a25a8 (patch) | |
| tree | c32cdf08e45e22b23b6aee6793c0794e0c41eae6 | |
| parent | 67565bf528d6347edd6561677f61639adb35ba55 (diff) | |
| download | patchwork-530999bf7c286bd3990e63790958338ef65a25a8.tar patchwork-530999bf7c286bd3990e63790958338ef65a25a8.tar.gz | |
REST: Don't allow settings of some project fields
These should only be configurable by superusers as invalid configuration
can break things.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Closes: #217
| -rw-r--r-- | patchwork/api/project.py | 9 | ||||
| -rw-r--r-- | patchwork/tests/api/test_project.py | 11 | ||||
| -rw-r--r-- | releasenotes/notes/issue-217-676f3f737e46320e.yaml | 7 |
3 files changed, 22 insertions, 5 deletions
diff --git a/patchwork/api/project.py b/patchwork/api/project.py index deef290..22fb1c4 100644 --- a/patchwork/api/project.py +++ b/patchwork/api/project.py @@ -16,9 +16,9 @@ from patchwork.models import Project class ProjectSerializer(BaseHyperlinkedModelSerializer): - link_name = CharField(max_length=255, source='linkname') - list_id = CharField(max_length=255, source='listid') - list_email = CharField(max_length=200, source='listemail') + link_name = CharField(max_length=255, source='linkname', read_only=True) + list_id = CharField(max_length=255, source='listid', read_only=True) + list_email = CharField(max_length=200, source='listemail', read_only=True) maintainers = UserProfileSerializer(many=True, read_only=True, source='maintainer_project') @@ -27,7 +27,8 @@ class ProjectSerializer(BaseHyperlinkedModelSerializer): fields = ('id', 'url', 'name', 'link_name', 'list_id', 'list_email', 'web_url', 'scm_url', 'webscm_url', 'maintainers', 'subject_match') - read_only_fields = ('name', 'maintainers', 'subject_match') + read_only_fields = ('name', 'link_name', 'list_id', 'list_email', + 'maintainers', 'subject_match') versioned_fields = { '1.1': ('subject_match', ), } diff --git a/patchwork/tests/api/test_project.py b/patchwork/tests/api/test_project.py index a4a9396..557c1e0 100644 --- a/patchwork/tests/api/test_project.py +++ b/patchwork/tests/api/test_project.py @@ -129,7 +129,7 @@ class TestProjectAPI(APITestCase): def test_update(self): """Ensure updates can be performed by maintainers.""" project = create_project() - data = {'linkname': 'TEST'} + data = {'web_url': 'TEST'} # an anonymous user resp = self.client.patch(self.api_url(project.id), data) @@ -146,6 +146,15 @@ class TestProjectAPI(APITestCase): self.client.force_authenticate(user=user) resp = self.client.patch(self.api_url(project.id), data) self.assertEqual(status.HTTP_200_OK, resp.status_code) + self.assertEqual(resp.data['web_url'], 'TEST') + + # ...with the exception of some read-only fields + resp = self.client.patch(self.api_url(project.id), { + 'link_name': 'test'}) + # NOTE(stephenfin): This actually returns HTTP 200 due to + # https://github.com/encode/django-rest-framework/issues/1655 + self.assertEqual(status.HTTP_200_OK, resp.status_code) + self.assertNotEqual(resp.data['link_name'], 'test') def test_delete(self): """Ensure deletions are rejected.""" diff --git a/releasenotes/notes/issue-217-676f3f737e46320e.yaml b/releasenotes/notes/issue-217-676f3f737e46320e.yaml new file mode 100644 index 0000000..ecf4a11 --- /dev/null +++ b/releasenotes/notes/issue-217-676f3f737e46320e.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + A project's ``list_email``, ``list_id`` and ``link_name`` fields can no + longer be updated via the REST API. This is a superuser-only operation + that, for now, should only be done via the admin interface. + (`#217 <https://github.com/getpatchwork/patchwork/issues/217>`__) |