From 1213f2a9817f44fc60525cdef762f41980219a46 Mon Sep 17 00:00:00 2001
From: Michael DeHaan <Michael DeHaan michael@ansibleworks.com>
Date: Sat, 23 Mar 2013 16:50:25 -0400
Subject: [PATCH] Test that you can't post to an audit trail collection (ever),
 and a switch to control postability to sub lists.

---
 lib/main/base_views.py |  4 ++++
 lib/main/tests.py      |  7 +++++--
 lib/main/views.py      | 22 +++++++++++++++++-----
 3 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/lib/main/base_views.py b/lib/main/base_views.py
index 46629a5a21..938391db68 100644
--- a/lib/main/base_views.py
+++ b/lib/main/base_views.py
@@ -51,6 +51,10 @@ class BaseSubList(BaseList):
 
     def post(self, request, *args, **kwargs):
 
+        postable = getattr(self.__class__, 'postable', False)
+        if not postable:
+            return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
+
         parent_id = kwargs['pk']
         sub_id = request.DATA.get('id')
         main = self.__class__.parent_model.objects.get(pk=parent_id)
diff --git a/lib/main/tests.py b/lib/main/tests.py
index 714d97e164..80e75ee890 100644
--- a/lib/main/tests.py
+++ b/lib/main/tests.py
@@ -91,7 +91,7 @@ class BaseTest(django.test.TestCase):
             assert False, "Failed: %s" % response.content
         if expect is not None:
             assert response.status_code == expect, "expected status %s, got %s for url=%s as auth=%s: %s" % (expect, response.status_code, url, auth, response.content)
-        if response.status_code not in [ 202, 204, 400, 409 ]:
+        if response.status_code not in [ 202, 204, 400, 405, 409 ]:
             # no JSON responses in these at least for now, 400/409 should probably return some (FIXME)
             return json.loads(response.content)
         else:
@@ -269,6 +269,7 @@ class OrganizationsTest(BaseTest):
         org1_tags = self.get(org1_tags_url, expect=403, auth=self.get_other_credentials())
 
     def test_get_item_subobjects_audit_trail(self):
+        # FIXME
         pass
 
     def test_post_item(self):
@@ -376,7 +377,9 @@ class OrganizationsTest(BaseTest):
         self.assertEqual(tags['results'][0]['id'], tag.pk)
 
     def test_post_item_subobjects_audit_trail(self):
-        pass
+        # audit trails are system things, and no user can post to them.
+        url = '/api/v1/organizations/2/audit_trail/'
+        self.post(url, dict(id=1), expect=405, auth=self.get_super_credentials())
 
     def test_put_item(self):
 
diff --git a/lib/main/views.py b/lib/main/views.py
index 22c3182962..9948d966e7 100644
--- a/lib/main/views.py
+++ b/lib/main/views.py
@@ -42,20 +42,32 @@ class OrganizationsDetail(BaseDetail):
     serializer_class = OrganizationSerializer
     permission_classes = (CustomRbac,)
 
-class OrganizationsAuditTrailList(BaseList):
+class OrganizationsAuditTrailList(BaseSubList):
 
     model = AuditTrail
     serializer_class = AuditTrailSerializer
     permission_classes = (CustomRbac,)
+    parent_model = Organization
+    relationship = 'audit_trail'
+    postable = False
+
+    def _get_queryset(self):
+        ''' to list tags in the organization, I must be a superuser or org admin '''
+        organization = Organization.objects.get(pk=self.kwargs['pk'])
+        if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):
+            # FIXME: use: organization.can_user_administrate(self.request.user)
+            raise PermissionDenied()
+        return AuditTrail.objects.filter(audit_trail_by_tag__in = [ organization ])
+
 
 class OrganizationsUsersList(BaseSubList):
     
     model = User
     serializer_class = UserSerializer
     permission_classes = (CustomRbac,)
-
     parent_model = Organization
     relationship = 'users'
+    postable = True
 
     def _get_queryset(self):
         ''' to list users in the organization, I must be a superuser or org admin '''
@@ -69,9 +81,9 @@ class OrganizationsAdminsList(BaseSubList):
     model = User
     serializer_class = UserSerializer
     permission_classes = (CustomRbac,)
-    
     parent_model = Organization
     relationship = 'admins'
+    postable = True
 
     def _get_queryset(self):
         ''' to list admins in the organization, I must be a superuser or org admin '''
@@ -85,9 +97,9 @@ class OrganizationsProjectsList(BaseSubList):
     model = Project
     serializer_class = ProjectSerializer
     permission_classes = (CustomRbac,)
-
     parent_model = Organization  # for sub list
     relationship = 'projects'    # " "
+    postable = True
     
     def _get_queryset(self):
         ''' to list projects in the organization, I must be a superuser or org admin '''
@@ -101,9 +113,9 @@ class OrganizationsTagsList(BaseSubList):
     model = Tag
     serializer_class = TagSerializer
     permission_classes = (CustomRbac,)
-
     parent_model = Organization  # for sub list
     relationship = 'tags'        # " "
+    postable = True
 
     def _get_queryset(self):
         ''' to list tags in the organization, I must be a superuser or org admin '''