Make project serializer return subset of fields to authenticated users

agjohnson · agjohnson · commit 95433fa0dcb5 · 2017-10-13T21:43:28.000-06:00
Admin users will get an extended list of fields, for use in the build instances.
Normal users get a different project serializer with limited fields.
diff --git a/readthedocs/restapi/serializers.py b/readthedocs/restapi/serializers.py
@@ -24,8 +24,16 @@ class Meta(object):
             'users',
             'canonical_url',
         )
-        # Fields needed for properly passing data to the builds
-        build_extra = (
+
+
+class ProjectSerializerFull(ProjectSerializer):
+
+    """Serializer to return all Project fields, for use by builder instances"""
+
+    class Meta(object):
+        model = Project
+        # The following fields are required by builder processes
+        fields = ProjectSerializer.Meta.fields + (
             'enable_epub_build',
             'enable_pdf_build',
             'conf_py_file',
@@ -41,7 +49,6 @@ class Meta(object):
             'requirements_file',
             'python_interpreter',
         )
-        fields += build_extra
 
 
 class VersionSerializer(serializers.ModelSerializer):
diff --git a/readthedocs/restapi/views/model_views.py b/readthedocs/restapi/views/model_views.py
@@ -23,8 +23,8 @@
                            RelatedProjectIsOwner, IsOwner)
 from ..serializers import (BuildSerializerFull, BuildSerializer,
                            BuildCommandSerializer, ProjectSerializer,
-                           VersionSerializer, DomainSerializer,
-                           RemoteOrganizationSerializer,
+                           ProjectSerializerFull, VersionSerializer,
+                           DomainSerializer, RemoteOrganizationSerializer,
                            RemoteRepositorySerializer)
 from .. import utils as api_utils
 
@@ -46,6 +46,11 @@ class ProjectViewSet(viewsets.ModelViewSet):
     def get_queryset(self):
         return self.model.objects.api(self.request.user)
 
+    def get_serializer_class(self):
+        if self.request.user.is_staff:
+            return ProjectSerializerFull
+        return self.serializer_class
+
     @decorators.detail_route()
     def valid_versions(self, request, **kwargs):
         """Maintain state of versions that are wanted."""
diff --git a/readthedocs/rtd_tests/tests/test_api.py b/readthedocs/rtd_tests/tests/test_api.py
@@ -1,10 +1,11 @@
 from __future__ import absolute_import
-from builtins import str
+
 import json
 import base64
 import datetime
 
 import mock
+from builtins import str
 from django.test import TestCase
 from django.contrib.auth.models import User
 from django_dynamic_fixture import get
@@ -168,6 +169,23 @@ def test_make_project(self):
         obj = json.loads(resp.content)
         self.assertEqual(obj['slug'], 'awesome-project')
 
+    def test_user_doesnt_get_full_api_return(self):
+        user_normal = get(User, is_staff=False)
+        user_admin = get(User, is_staff=True)
+        project = get(Project, main_language_project=None, conf_py_file='foo')
+        client = APIClient()
+
+        client.force_authenticate(user=user_normal)
+        resp = client.get('/api/v2/project/%s/' % (project.pk))
+        self.assertEqual(resp.status_code, 200)
+        self.assertNotIn('conf_py_file', resp.data)
+
+        client.force_authenticate(user=user_admin)
+        resp = client.get('/api/v2/project/%s/' % (project.pk))
+        self.assertEqual(resp.status_code, 200)
+        self.assertIn('conf_py_file', resp.data)
+        self.assertEqual(resp.data['conf_py_file'], 'foo')
+
     def test_invalid_make_project(self):
         """
         Test that the authentication is turned on.
