REST: Validate patch delegate

At present, only users who are maintainers of projects can be delegated
a project. Validate this. This is currently broken due to #216 but that
will be fixed in a future change.

Signed-off-by: Stephen Finucane <stephen@that.guru>

diff --git a/patchwork/api/patch.py b/patchwork/api/patch.py
index 1e6472838b9170fb7eb60bf7c70705a3e4e7fb50..b9a134b1724acab9c153092d6281e80781c4c894 100644 (file)
--- a/patchwork/api/patch.py
+++ b/patchwork/api/patch.py
@@ -11,6 +11,7 @@ from rest_framework.generics import RetrieveUpdateAPIView
 from rest_framework.relations import RelatedField
 from rest_framework.reverse import reverse
 from rest_framework.serializers import SerializerMethodField
+from rest_framework.serializers import ValidationError
 
 from patchwork.api.base import BaseHyperlinkedModelSerializer
 from patchwork.api.base import PatchworkPermission
@@ -99,6 +100,14 @@ class PatchListSerializer(BaseHyperlinkedModelSerializer):
         # model
         return {}
 
+    def validate_delegate(self, value):
+        """Check that the delgate is a maintainer of the patch's project."""
+        if not self.instance.project.maintainer_project.filter(
+                id=value.id).exists():
+            raise ValidationError("User '%s' is not a maintainer for project "
+                                  "'%s'" % (value, self.instance.project))
+        return value
+
     class Meta:
         model = Patch
         fields = ('id', 'url', 'web_url', 'project', 'msgid', 'date', 'name',

diff --git a/patchwork/tests/api/test_patch.py b/patchwork/tests/api/test_patch.py
index 3d6dad9ca2da759ef71239dc622ca81b0bed5efd..53099256520a6d40174f2b0e0f879efc7932b1bb 100644 (file)
--- a/patchwork/tests/api/test_patch.py
+++ b/patchwork/tests/api/test_patch.py
@@ -204,12 +204,15 @@ class TestPatchAPI(APITestCase):
         # maintainer
         user = create_maintainer(project)
         self.client.force_authenticate(user=user)
-        resp = self.client.patch(self.api_url(patch.id), {'state': state.name})
-        self.assertEqual(status.HTTP_200_OK, resp.status_code)
+        resp = self.client.patch(self.api_url(patch.id), {
+            'state': state.name, 'delegate': user.id})
+        self.assertEqual(status.HTTP_200_OK, resp.status_code, resp)
         self.assertEqual(Patch.objects.get(id=patch.id).state, state)
+        # TODO(stephenfin): This is currently broken due to #216
+        # self.assertEqual(Patch.objects.get(id=patch.id).delegate, user)
 
     def test_update_invalid(self):
-        """Ensure we handle invalid Patch states."""
+        """Ensure we handle invalid Patch updates."""
         project = create_project()
         state = create_state()
         patch = create_patch(project=project, state=state)
@@ -222,6 +225,15 @@ class TestPatchAPI(APITestCase):
         self.assertContains(resp, 'Expected one of: %s.' % state.name,
                             status_code=status.HTTP_400_BAD_REQUEST)
 
+        # invalid delegate
+        user_b = create_user()
+        resp = self.client.patch(self.api_url(patch.id),
+                                 {'delegate': user_b.id})
+        # TODO(stephenfin): This is currently broken due to #216
+        # self.assertEqual(status.HTTP_400_BAD_REQUEST, resp.status_code)
+        # self.assertContains(resp, "User '%s' is not a maintainer" % user_b,
+        #                     status_code=status.HTTP_400_BAD_REQUEST)
+
     def test_delete(self):
         """Ensure deletions are always rejected."""
         project = create_project()