Merge pull request #6285 from ryanpetrello/user-readonly-last-login

make User.last_login read_only=True in its serializer

Reviewed-by: Christian Adams <rooftopcellist@gmail.com>
             https://github.com/rooftopcellist

awx/api/serializers.py

@@ -884,6 +884,9 @@ class UserSerializer(BaseSerializer):
         fields = ('*', '-name', '-description', '-modified',
                   'username', 'first_name', 'last_name',
                   'email', 'is_superuser', 'is_system_auditor', 'password', 'ldap_dn', 'last_login', 'external_account')
+        extra_kwargs = {
+            'last_login': {'read_only': True}
+        }
 
     def to_representation(self, obj):
         ret = super(UserSerializer, self).to_representation(obj)

awx/main/tests/functional/api/test_user.py

@@ -2,6 +2,7 @@ import pytest
 
 from django.contrib.sessions.middleware import SessionMiddleware
 
+from awx.main.models import User
 from awx.api.versioning import reverse
 
 
@@ -48,3 +49,15 @@ def test_create_delete_create_user(post, delete, admin):
     response = post(reverse('api:user_list'), EXAMPLE_USER_DATA, admin, middleware=SessionMiddleware())
     print(response.data)
     assert response.status_code == 201
+
+
+@pytest.mark.django_db
+def test_user_cannot_update_last_login(patch, admin):
+    assert admin.last_login is None
+    patch(
+        reverse('api:user_detail', kwargs={'pk': admin.pk}),
+        {'last_login': '2020-03-13T16:39:47.303016Z'},
+        admin,
+        middleware=SessionMiddleware()
+    )
+    assert User.objects.get(pk=admin.pk).last_login is None