diff --git a/lib/main/base_views.py b/lib/main/base_views.py index 27f5658273..dc2f86e324 100644 --- a/lib/main/base_views.py +++ b/lib/main/base_views.py @@ -41,6 +41,12 @@ class BaseList(generics.ListCreateAPIView): # model = ModelClass # serializer_class = SerializerClass + def post(self, request, *args, **kwargs): + postable = getattr(self.__class__, 'postable', True) + if not postable: + return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED) + return super(BaseList, self).post(request, *args, **kwargs) + def get_queryset(self): base = self._get_queryset() diff --git a/lib/main/tests/projects.py b/lib/main/tests/projects.py index 5ee9eeb394..aedea56652 100644 --- a/lib/main/tests/projects.py +++ b/lib/main/tests/projects.py @@ -20,6 +20,7 @@ import json from django.contrib.auth.models import User as DjangoUser import django.test from django.test.client import Client +from django.core.urlresolvers import reverse from lib.main.models import * from lib.main.tests.base import BaseTest @@ -407,6 +408,23 @@ class ProjectsTest(BaseTest): self.get(team_creds, expect=403, auth=self.get_other_credentials()) self.get(team_creds, expect=403, auth=self.get_nobody_credentials()) + # Check /api/v1/credentials (GET) + url = reverse('main:credentials_list') + with self.current_user(self.super_django_user): + self.options(url) + self.head(url) + response = self.get(url) + qs = Credential.objects.all() + self.check_pagination_and_size(response, qs.count()) + self.check_list_ids(response, qs) + + # POST should fail for all users. + with self.current_user(self.super_django_user): + data = dict(name='xyz', user=self.super_django_user.pk) + self.post(url, data, expect=405) + + # FIXME: Check list as other users. + # can edit a credential cred_user = Credential.objects.get(pk=cred_user) cred_team = Credential.objects.get(pk=cred_team)