Test that you can't post to an audit trail collection (ever), and a switch to control postability to sub lists.

2026-01-09 23:12:08 -03:30 · 2013-03-23 16:50:25 -04:00 · 2013-03-23 16:50:25 -04:00 · 1213f2a981
commit 1213f2a981
parent cd214bc95d
3 changed files with 26 additions and 7 deletions
--- a/lib/main/base_views.py
+++ b/lib/main/base_views.py
@ -51,6 +51,10 @@ class BaseSubList(BaseList):

    def post(self, request, *args, **kwargs):

+        postable = getattr(self.__class__, 'postable', False)
+        if not postable:
+            return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
+
        parent_id = kwargs['pk']
        sub_id = request.DATA.get('id')
        main = self.__class__.parent_model.objects.get(pk=parent_id)
--- a/lib/main/tests.py
+++ b/lib/main/tests.py
@ -91,7 +91,7 @@ class BaseTest(django.test.TestCase):
            assert False, "Failed: %s" % response.content
        if expect is not None:
            assert response.status_code == expect, "expected status %s, got %s for url=%s as auth=%s: %s" % (expect, response.status_code, url, auth, response.content)
-        if response.status_code not in [ 202, 204, 400, 409 ]:
+        if response.status_code not in [ 202, 204, 400, 405, 409 ]:
            # no JSON responses in these at least for now, 400/409 should probably return some (FIXME)
            return json.loads(response.content)
        else:
@ -269,6 +269,7 @@ class OrganizationsTest(BaseTest):
        org1_tags = self.get(org1_tags_url, expect=403, auth=self.get_other_credentials())

    def test_get_item_subobjects_audit_trail(self):
+        # FIXME
        pass

    def test_post_item(self):
@ -376,7 +377,9 @@ class OrganizationsTest(BaseTest):
        self.assertEqual(tags['results'][0]['id'], tag.pk)

    def test_post_item_subobjects_audit_trail(self):
-        pass
+        # audit trails are system things, and no user can post to them.
+        url = '/api/v1/organizations/2/audit_trail/'
+        self.post(url, dict(id=1), expect=405, auth=self.get_super_credentials())

    def test_put_item(self):

--- a/lib/main/views.py
+++ b/lib/main/views.py
@ -42,20 +42,32 @@ class OrganizationsDetail(BaseDetail):
    serializer_class = OrganizationSerializer
    permission_classes = (CustomRbac,)

-class OrganizationsAuditTrailList(BaseList):
+class OrganizationsAuditTrailList(BaseSubList):

    model = AuditTrail
    serializer_class = AuditTrailSerializer
    permission_classes = (CustomRbac,)
+    parent_model = Organization
+    relationship = 'audit_trail'
+    postable = False
+
+    def _get_queryset(self):
+        ''' to list tags in the organization, I must be a superuser or org admin '''
+        organization = Organization.objects.get(pk=self.kwargs['pk'])
+        if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):
+            # FIXME: use: organization.can_user_administrate(self.request.user)
+            raise PermissionDenied()
+        return AuditTrail.objects.filter(audit_trail_by_tag__in = [ organization ])
+

 class OrganizationsUsersList(BaseSubList):
    
    model = User
    serializer_class = UserSerializer
    permission_classes = (CustomRbac,)
-
    parent_model = Organization
    relationship = 'users'
+    postable = True

    def _get_queryset(self):
        ''' to list users in the organization, I must be a superuser or org admin '''
@ -69,9 +81,9 @@ class OrganizationsAdminsList(BaseSubList):
    model = User
    serializer_class = UserSerializer
    permission_classes = (CustomRbac,)
-    
    parent_model = Organization
    relationship = 'admins'
+    postable = True

    def _get_queryset(self):
        ''' to list admins in the organization, I must be a superuser or org admin '''
@ -85,9 +97,9 @@ class OrganizationsProjectsList(BaseSubList):
    model = Project
    serializer_class = ProjectSerializer
    permission_classes = (CustomRbac,)
-
    parent_model = Organization  # for sub list
    relationship = 'projects'    # " "
+    postable = True
    
    def _get_queryset(self):
        ''' to list projects in the organization, I must be a superuser or org admin '''
@ -101,9 +113,9 @@ class OrganizationsTagsList(BaseSubList):
    model = Tag
    serializer_class = TagSerializer
    permission_classes = (CustomRbac,)
-
    parent_model = Organization  # for sub list
    relationship = 'tags'        # " "
+    postable = True

    def _get_queryset(self):
        ''' to list tags in the organization, I must be a superuser or org admin '''