See #230: users with upload permission can now launch import and manage their own imports

2018-05-24 22:39:32 +02:00 · 2018-05-24 22:39:32 +02:00 · 8d55040e9e
commit 8d55040e9e
parent dfb4f5f62a
4 changed files with 66 additions and 11 deletions
--- a/api/funkwhale_api/music/views.py
+++ b/api/funkwhale_api/music/views.py
@ -91,12 +91,21 @@ class ImportBatchViewSet(
    )
    serializer_class = serializers.ImportBatchSerializer
    permission_classes = (HasUserPermission,)
-    required_permissions = ['library']
+    required_permissions = ['library', 'upload']
+    permission_operator = 'or'
    filter_class = filters.ImportBatchFilter

    def perform_create(self, serializer):
        serializer.save(submitted_by=self.request.user)

+    def get_queryset(self):
+        qs = super().get_queryset()
+        # if user do not have library permission, we limit to their
+        # own jobs
+        if not self.request.user.has_permissions('library'):
+            qs = qs.filter(submitted_by=self.request.user)
+        return qs
+

 class ImportJobViewSet(
        mixins.CreateModelMixin,
@ -105,11 +114,22 @@ class ImportJobViewSet(
    queryset = (models.ImportJob.objects.all().select_related())
    serializer_class = serializers.ImportJobSerializer
    permission_classes = (HasUserPermission,)
-    required_permissions = ['library']
+    required_permissions = ['library', 'upload']
+    permission_operator = 'or'
    filter_class = filters.ImportJobFilter

+    def get_queryset(self):
+        qs = super().get_queryset()
+        # if user do not have library permission, we limit to their
+        # own jobs
+        if not self.request.user.has_permissions('library'):
+            qs = qs.filter(batch__submitted_by=self.request.user)
+        return qs
+
    @list_route(methods=['get'])
    def stats(self, request, *args, **kwargs):
+        if not request.user.has_permissions('library'):
+            return Response(status=403)
        qs = models.ImportJob.objects.all()
        filterset = filters.ImportJobFilter(request.GET, queryset=qs)
        qs = filterset.qs
--- a/api/tests/music/test_views.py
+++ b/api/tests/music/test_views.py
@ -9,12 +9,12 @@ from funkwhale_api.music import views
 from funkwhale_api.federation import actors


-@pytest.mark.parametrize('view,permissions', [
-    (views.ImportBatchViewSet, ['library']),
-    (views.ImportJobViewSet, ['library']),
+@pytest.mark.parametrize('view,permissions,operator', [
+    (views.ImportBatchViewSet, ['library', 'upload'], 'or'),
+    (views.ImportJobViewSet, ['library', 'upload'], 'or'),
 ])
-def test_permissions(assert_user_permission, view, permissions):
-    assert_user_permission(view, permissions)
+def test_permissions(assert_user_permission, view, permissions, operator):
+    assert_user_permission(view, permissions, operator)


 def test_artist_list_serializer(api_request, factories, logged_in_api_client):
@ -351,3 +351,27 @@ def test_import_batch_and_job_run_via_api(

    run.assert_any_call(import_job_id=job1.pk)
    run.assert_any_call(import_job_id=job2.pk)
+
+
+def test_import_job_viewset_get_queryset_upload_filters_user(
+        factories, logged_in_api_client):
+    logged_in_api_client.user.permission_upload = True
+    logged_in_api_client.user.save()
+
+    job = factories['music.ImportJob']()
+    url = reverse('api:v1:import-jobs-list')
+    response = logged_in_api_client.get(url)
+
+    assert response.data['count'] == 0
+
+
+def test_import_batch_viewset_get_queryset_upload_filters_user(
+        factories, logged_in_api_client):
+    logged_in_api_client.user.permission_upload = True
+    logged_in_api_client.user.save()
+
+    job = factories['music.ImportBatch']()
+    url = reverse('api:v1:import-batches-list')
+    response = logged_in_api_client.get(url)
+
+    assert response.data['count'] == 0