From: Stephen Finucane Date: Sat, 13 Oct 2018 16:10:49 +0000 (+0100) Subject: REST: Don't allow settings of some project fields X-Git-Tag: v2.1.1~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1552b7d539695e9c2c86b96b220c2c9d2e150284;p=thirdparty%2Fpatchwork.git REST: Don't allow settings of some project fields These should only be configurable by superusers as invalid configuration can break things. Signed-off-by: Stephen Finucane Closes: #217 (cherry picked from commit 530999bf7c286bd3990e63790958338ef65a25a8) --- diff --git a/patchwork/api/project.py b/patchwork/api/project.py index 6f1affad..3609f733 100644 --- a/patchwork/api/project.py +++ b/patchwork/api/project.py @@ -30,9 +30,9 @@ from patchwork.models import Project class ProjectSerializer(BaseHyperlinkedModelSerializer): - link_name = CharField(max_length=255, source='linkname') - list_id = CharField(max_length=255, source='listid') - list_email = CharField(max_length=200, source='listemail') + link_name = CharField(max_length=255, source='linkname', read_only=True) + list_id = CharField(max_length=255, source='listid', read_only=True) + list_email = CharField(max_length=200, source='listemail', read_only=True) maintainers = UserProfileSerializer(many=True, read_only=True, source='maintainer_project') @@ -41,7 +41,8 @@ class ProjectSerializer(BaseHyperlinkedModelSerializer): fields = ('id', 'url', 'name', 'link_name', 'list_id', 'list_email', 'web_url', 'scm_url', 'webscm_url', 'maintainers', 'subject_match') - read_only_fields = ('name', 'maintainers', 'subject_match') + read_only_fields = ('name', 'link_name', 'list_id', 'list_email', + 'maintainers', 'subject_match') versioned_fields = { '1.1': ('subject_match', ), } diff --git a/patchwork/tests/api/test_project.py b/patchwork/tests/api/test_project.py index 129cedb7..10044de4 100644 --- a/patchwork/tests/api/test_project.py +++ b/patchwork/tests/api/test_project.py @@ -143,7 +143,7 @@ class TestProjectAPI(APITestCase): def test_update(self): """Ensure updates can be performed by maintainers.""" project = create_project() - data = {'linkname': 'TEST'} + data = {'web_url': 'TEST'} # an anonymous user resp = self.client.patch(self.api_url(project.id), data) @@ -160,6 +160,15 @@ class TestProjectAPI(APITestCase): self.client.force_authenticate(user=user) resp = self.client.patch(self.api_url(project.id), data) self.assertEqual(status.HTTP_200_OK, resp.status_code) + self.assertEqual(resp.data['web_url'], 'TEST') + + # ...with the exception of some read-only fields + resp = self.client.patch(self.api_url(project.id), { + 'link_name': 'test'}) + # NOTE(stephenfin): This actually returns HTTP 200 due to + # https://github.com/encode/django-rest-framework/issues/1655 + self.assertEqual(status.HTTP_200_OK, resp.status_code) + self.assertNotEqual(resp.data['link_name'], 'test') def test_delete(self): """Ensure deletions are rejected.""" diff --git a/releasenotes/notes/issue-217-676f3f737e46320e.yaml b/releasenotes/notes/issue-217-676f3f737e46320e.yaml new file mode 100644 index 00000000..ecf4a118 --- /dev/null +++ b/releasenotes/notes/issue-217-676f3f737e46320e.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + A project's ``list_email``, ``list_id`` and ``link_name`` fields can no + longer be updated via the REST API. This is a superuser-only operation + that, for now, should only be done via the admin interface. + (`#217 `__)