[v6,04/10] REST: Add Users to the API

Message ID	1466111605-3059-5-git-send-email-andy.doan@linaro.org
State	Accepted
Headers	show Return-Path: <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: Andy Doan <andy.doan@linaro.org> To: patchwork@lists.ozlabs.org Subject: [PATCH v6 04/10] REST: Add Users to the API Date: Thu, 16 Jun 2016 16:13:19 -0500 Message-Id: <1466111605-3059-5-git-send-email-andy.doan@linaro.org> In-Reply-To: <1466111605-3059-1-git-send-email-andy.doan@linaro.org> References: <1466111605-3059-1-git-send-email-andy.doan@linaro.org> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Patchwork" <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Message ID

1466111605-3059-5-git-send-email-andy.doan@linaro.org

State

Accepted

Headers

From: Andy Doan <andy.doan@linaro.org>
To: patchwork@lists.ozlabs.org
Subject: [PATCH v6 04/10] REST: Add Users to the API
Date: Thu, 16 Jun 2016 16:13:19 -0500
Message-Id: <1466111605-3059-5-git-send-email-andy.doan@linaro.org>
In-Reply-To: <1466111605-3059-1-git-send-email-andy.doan@linaro.org>
References: <1466111605-3059-1-git-send-email-andy.doan@linaro.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Patchwork"
	<patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Commit Message

Andy Doan June 16, 2016, 9:13 p.m. UTC

This exports user objects via the REST API.

Security Constraints:
 * The API is read-only to authenticated users

Signed-off-by: Andy Doan <andy.doan@linaro.org>
---
 patchwork/rest_serializers.py    | 10 ++++++++++
 patchwork/tests/test_rest_api.py | 43 ++++++++++++++++++++++++++++++++++++++++
 patchwork/views/rest_api.py      | 27 ++++++++++++++++++++-----
 3 files changed, 75 insertions(+), 5 deletions(-)

Comments

Stephen Finucane June 27, 2016, 4:42 p.m. UTC | #1

On 16 Jun 16:13, Andy Doan wrote:
> This exports user objects via the REST API.
> 
> Security Constraints:
>  * The API is read-only to authenticated users
> 
> Signed-off-by: Andy Doan <andy.doan@linaro.org>

Reviewed-by: Stephen Finucane <stephen.finucane@intel.com>

...after accounting for the nits below

> +    def test_readonly(self):
> +        defaults.project.save()
> +        user = create_maintainer(defaults.project)
> +        user.is_superuser = True
> +        user.save()
> +        self.client.force_authenticate(user=user)
> +
> +        resp = self.client.delete(self.api_url(1))

Changed '1' to 'user.id' to avoid hardcoding.

> +        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
> +
> +        resp = self.client.patch(self.api_url(1), {'email': 'foo@f.com'})

Ditto.

diff --git a/patchwork/rest_serializers.py b/patchwork/rest_serializers.py
index 974d6d3..0d6c041 100644
--- a/patchwork/rest_serializers.py
+++ b/patchwork/rest_serializers.py
@@ -17,11 +17,21 @@ 
 # along with Patchwork; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
+from django.contrib.auth.models import User
+
 from rest_framework.serializers import HyperlinkedModelSerializer
 
 from patchwork.models import Project
 
 
+class UserSerializer(HyperlinkedModelSerializer):
+    class Meta:
+        model = User
+        exclude = ('date_joined', 'groups', 'is_active', 'is_staff',
+                   'is_superuser', 'last_login', 'password',
+                   'user_permissions')
+
+
 class ProjectSerializer(HyperlinkedModelSerializer):
     class Meta:
         model = Project
diff --git a/patchwork/tests/test_rest_api.py b/patchwork/tests/test_rest_api.py
index d8782d9..70743d6 100644
--- a/patchwork/tests/test_rest_api.py
+++ b/patchwork/tests/test_rest_api.py
@@ -118,3 +118,46 @@  class TestProjectAPI(APITestCase):
         resp = self.client.delete(self.api_url(1))
         self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
         self.assertEqual(1, Project.objects.all().count())
+
+
+@unittest.skipUnless(settings.ENABLE_REST_API, 'requires ENABLE_REST_API')
+class TestUserAPI(APITestCase):
+    fixtures = ['default_states']
+
+    @staticmethod
+    def api_url(item=None):
+        if item is None:
+            return reverse('api_1.0:user-list')
+        return reverse('api_1.0:user-detail', args=[item])
+
+    def test_anonymous_list(self):
+        """The API should reject anonymous users."""
+        resp = self.client.get(self.api_url())
+        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
+
+    def test_authenticated_list(self):
+        """This API requires authenticated users."""
+        user = create_user()
+        self.client.force_authenticate(user=user)
+        resp = self.client.get(self.api_url())
+        self.assertEqual(status.HTTP_200_OK, resp.status_code)
+        self.assertEqual(1, len(resp.data))
+        self.assertEqual(user.username, resp.data[0]['username'])
+        self.assertNotIn('password', resp.data[0])
+        self.assertNotIn('is_superuser', resp.data[0])
+
+    def test_readonly(self):
+        defaults.project.save()
+        user = create_maintainer(defaults.project)
+        user.is_superuser = True
+        user.save()
+        self.client.force_authenticate(user=user)
+
+        resp = self.client.delete(self.api_url(1))
+        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
+
+        resp = self.client.patch(self.api_url(1), {'email': 'foo@f.com'})
+        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
+
+        resp = self.client.post(self.api_url(), {'email': 'foo@f.com'})
+        self.assertEqual(status.HTTP_403_FORBIDDEN, resp.status_code)
diff --git a/patchwork/views/rest_api.py b/patchwork/views/rest_api.py
index 8c207ff..8cff44e 100644
--- a/patchwork/views/rest_api.py
+++ b/patchwork/views/rest_api.py
@@ -19,8 +19,8 @@ 
 
 from django.conf import settings
 
-from patchwork.models import Project
-from patchwork.rest_serializers import ProjectSerializer
+from patchwork.rest_serializers import (
+    ProjectSerializer, UserSerializer)
 
 from rest_framework import permissions
 from rest_framework.pagination import PageNumberPagination
@@ -67,12 +67,29 @@  class PatchworkPermission(permissions.BasePermission):
         return obj.is_editable(request.user)
 
 
-class ProjectViewSet(ModelViewSet):
+class AuthenticatedReadOnly(permissions.BasePermission):
+    def has_permission(self, request, view):
+        authenticated = request.user.is_authenticated()
+        return authenticated and request.method in permissions.SAFE_METHODS
+
+
+class PatchworkViewSet(ModelViewSet):
+    pagination_class = LinkHeaderPagination
+
+    def get_queryset(self):
+        return self.serializer_class.Meta.model.objects.all()
+
+
+class UserViewSet(PatchworkViewSet):
+    permission_classes = (AuthenticatedReadOnly, )
+    serializer_class = UserSerializer
+
+
+class ProjectViewSet(PatchworkViewSet):
     permission_classes = (PatchworkPermission, )
-    queryset = Project.objects.all()
     serializer_class = ProjectSerializer
-    pagination_class = LinkHeaderPagination
 
 
 router = DefaultRouter()
 router.register('projects', ProjectViewSet, 'project')
+router.register('users', UserViewSet, 'user')