REST: Don't allow settings of some project fields

These should only be configurable by superusers as invalid configuration
can break things.

Signed-off-by: Stephen Finucane <stephen@that.guru>
Closes: #217
(cherry picked from commit 530999bf7c286bd3990e63790958338ef65a25a8)

diff --git a/patchwork/api/project.py b/patchwork/api/project.py
index 6f1affad9cbcc6b1f43c3b7cb8edbfb260f3e654..3609f7336be63c3f25e5e55f6bc06f81ce75e1e4 100644 (file)
--- a/patchwork/api/project.py
+++ b/patchwork/api/project.py
@@ -30,9 +30,9 @@ from patchwork.models import Project
 
 class ProjectSerializer(BaseHyperlinkedModelSerializer):
 
-    link_name = CharField(max_length=255, source='linkname')
-    list_id = CharField(max_length=255, source='listid')
-    list_email = CharField(max_length=200, source='listemail')
+    link_name = CharField(max_length=255, source='linkname', read_only=True)
+    list_id = CharField(max_length=255, source='listid', read_only=True)
+    list_email = CharField(max_length=200, source='listemail', read_only=True)
     maintainers = UserProfileSerializer(many=True, read_only=True,
                                         source='maintainer_project')
 
@@ -41,7 +41,8 @@ class ProjectSerializer(BaseHyperlinkedModelSerializer):
         fields = ('id', 'url', 'name', 'link_name', 'list_id', 'list_email',
                   'web_url', 'scm_url', 'webscm_url', 'maintainers',
                   'subject_match')
-        read_only_fields = ('name', 'maintainers', 'subject_match')
+        read_only_fields = ('name', 'link_name', 'list_id', 'list_email',
+                            'maintainers', 'subject_match')
         versioned_fields = {
             '1.1': ('subject_match', ),
         }

diff --git a/patchwork/tests/api/test_project.py b/patchwork/tests/api/test_project.py
index 129cedb7493fccda46caa6a77f90990e8e196bcb..10044de4ecbbfdf6a04d3506b0910e79a03583a4 100644 (file)
--- a/patchwork/tests/api/test_project.py
+++ b/patchwork/tests/api/test_project.py
@@ -143,7 +143,7 @@ class TestProjectAPI(APITestCase):
     def test_update(self):
         """Ensure updates can be performed by maintainers."""
         project = create_project()
-        data = {'linkname': 'TEST'}
+        data = {'web_url': 'TEST'}
 
         # an anonymous user
         resp = self.client.patch(self.api_url(project.id), data)
@@ -160,6 +160,15 @@ class TestProjectAPI(APITestCase):
         self.client.force_authenticate(user=user)
         resp = self.client.patch(self.api_url(project.id), data)
         self.assertEqual(status.HTTP_200_OK, resp.status_code)
+        self.assertEqual(resp.data['web_url'], 'TEST')
+
+        # ...with the exception of some read-only fields
+        resp = self.client.patch(self.api_url(project.id), {
+            'link_name': 'test'})
+        # NOTE(stephenfin): This actually returns HTTP 200 due to
+        # https://github.com/encode/django-rest-framework/issues/1655
+        self.assertEqual(status.HTTP_200_OK, resp.status_code)
+        self.assertNotEqual(resp.data['link_name'], 'test')
 
     def test_delete(self):
         """Ensure deletions are rejected."""

diff --git a/releasenotes/notes/issue-217-676f3f737e46320e.yaml b/releasenotes/notes/issue-217-676f3f737e46320e.yaml
new file mode 100644 (file)
index 0000000..ecf4a11
--- /dev/null
+++ b/releasenotes/notes/issue-217-676f3f737e46320e.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    A project's ``list_email``, ``list_id`` and ``link_name`` fields can no
+    longer be updated via the REST API. This is a superuser-only operation
+    that, for now, should only be done via the admin interface.
+    (`#217 <https://github.com/getpatchwork/patchwork/issues/217>`__)