Merge pull request #1378 from rooftopcellist/no_patch_app

disallow changing token-app

awx/api/serializers.py

@@ -939,7 +939,6 @@ class UserAuthorizedTokenSerializer(BaseSerializer):
             'expires', 'scope', 'application',
         )
         read_only_fields = ('user', 'token', 'expires')
-        read_only_on_update_fields = ('application',)
         
     def get_token(self, obj):
         request = self.context.get('request', None)
@@ -1105,6 +1104,12 @@ class OAuth2TokenSerializer(BaseSerializer):
             )
         return obj
         
+        
+class OAuth2TokenDetailSerializer(OAuth2TokenSerializer):
+
+    class Meta:
+        read_only_fields = ('*', 'user', 'application')       
+
 
 class OAuth2AuthorizedTokenSerializer(BaseSerializer):
     
@@ -1118,7 +1123,6 @@ class OAuth2AuthorizedTokenSerializer(BaseSerializer):
             'expires', 'scope', 'application',
         )
         read_only_fields = ('user', 'token', 'expires')
-        read_only_on_update_fields = ('application',)
         
     def get_token(self, obj):
         request = self.context.get('request', None)
@@ -1171,8 +1175,7 @@ class OAuth2PersonalTokenSerializer(BaseSerializer):
             '*', '-name', 'description', 'user', 'token', 'refresh_token',
             'application', 'expires', 'scope',
         )
-        read_only_fields = ('user', 'token', 'expires')
-        read_only_on_update_fields = ('application',)
+        read_only_fields = ('user', 'token', 'expires', 'application')
 
     def get_modified(self, obj):
         if obj is None:

awx/api/views.py

@@ -1587,7 +1587,7 @@ class OAuth2TokenDetail(RetrieveUpdateDestroyAPIView):
     view_name = _("OAuth Token Detail")
 
     model = OAuth2AccessToken
-    serializer_class = OAuth2TokenSerializer
+    serializer_class = OAuth2TokenDetailSerializer
 
 
 class OAuth2TokenActivityStreamList(ActivityStreamEnforcementMixin, SubListAPIView):