APIv3 endpoint: allow to modify a Project once it's imported #5952
Conversation
humitos
commented
Jul 17, 2019
humitos
commented
- allow users to modify existing projects using the API
- only allow to change fields that are not possible to change via the YAML
- users should only be able to change projects where they are maintainers
humitos
added
Status: blocked
We are nesting all the endpoints inside `/projects/`. When hitting, `/project/<slug>` this endpoint does not have any "parent project", so we need to get the "project_slug" from the view kwargs instead of from the URL.
Do not allow any other action that's not list, retrieve or superproject when the detail=True (accessing an object directly) `/subprojects/` and `/translations/` are considered `list` actions with detail=True views.
…ct-update-endpoint
humitos
removed
PR: work in progress
|
This PR should be ready to review and all the permissions should be fixed and working as we need. |
…humitos/apiv3/project-update-endpoint
| "default_version": "v0.27.0" | ||
| } | ||
|
|
||
| :statuscode 204: Updated successfully |
There was a problem hiding this comment.
I assume it will also raise an error in some cases?
There was a problem hiding this comment.
On the "Ship APIv3" PR I was thinking to remove all the redundant docs or un-useful list of fields: avoid things like slug: the slug of the Project and just document that ones that are useful.
I applied the same concept for status codes, mentioning only the important ones (based on David's comment as well: #4863 (comment))
I did a commit for this in that PR: f7e168f
What do you think?
readthedocs/api/v3/mixins.py
Outdated
| @@ -92,3 +100,20 @@ def get_queryset(self): | |||
|
|
|||
| # List view are only allowed if user is owner of parent project | |||
| return self.listing_objects(queryset, self.request.user) | |||
|
|
|||
|
|
|||
| class UpdatePartialUpdateMixin: | |||
There was a problem hiding this comment.
This is a super confusing name. Why does it have Update in the name twice?
There was a problem hiding this comment.
I should probably rename this to UpdateMixin only. This class makes PUT to return 204 on success as PATCH.
| if view.detail: | ||
| # detail view is only allowed on list/retrieve actions (not | ||
| # ``update`` or ``partial_update``) | ||
| if view.detail and view.action in ('list', 'retrieve', 'superproject'): |
There was a problem hiding this comment.
These feel like they should be constants? What is a superproject? It still feels weird that it is a method name to me.
There was a problem hiding this comment.
superproject is an action name, defined by the class method under ProjectViewSet. We should apply the same permissions restrictions than for a detail action (since it only returns one superproject if exists).
list and retrieve are DRF standard action names (same as update or partial_update).
We already talked about this at #5857 (comment)
(I'm adding this comment as a code comment)
|
|
||
| """Serializer used to modify a Project once imported.""" | ||
|
|
||
| repository = RepositorySerializer(source='*') |
There was a problem hiding this comment.
What is source='*'? It should likely have a comment.
There was a problem hiding this comment.
* it's standard for DRF but has a special meaning. It means that the whole object will be passed to the RepositorySerializer, not just a specific field of it.
(see docs https://www.django-rest-framework.org/api-guide/fields/#source)
| @@ -271,7 +276,8 @@ class TranslationRelationshipViewSet(APIv3Settings, NestedViewSetMixin, | |||
| # of ``ProjectQuerySetMixin`` to make calling ``super().get_queryset()`` work | |||
| # properly and filter nested dependencies | |||
| class VersionsViewSet(APIv3Settings, NestedViewSetMixin, ProjectQuerySetMixin, | |||
| FlexFieldsMixin, UpdateModelMixin, ReadOnlyModelViewSet): | |||
| FlexFieldsMixin, UpdatePartialUpdateMixin, | |||
| UpdateModelMixin, ReadOnlyModelViewSet): | |||
There was a problem hiding this comment.
Does this also allow us to PATCH to Versions?
There was a problem hiding this comment.
Yes. It makes the PUT and PATCH to behave in the same way (because of UpdatePartialUpdateMixin: returns 204 on both verbs).
There was a problem hiding this comment.
It was already working like that, but I moved the update method to a Mixin since it's shared with another class now.
Yes. Basically, this is the line that allows the PATCH/PUT: https://github.com/readthedocs/readthedocs.org/pull/5952/files#diff-e7d0914abe4a0641d49078f90f75e695R77
|
…adthedocs/readthedocs.org into humitos/apiv3/project-update-endpoint
