REST: Don't allow settings of some project fields

stephenfin · stephenfin · commit 1552b7d53969 · 2018-10-14T15:05:27.000+01:00
These should only be configurable by superusers as invalid configuration can break things. Signed-off-by: Stephen Finucane <stephen@that.guru> Closes: #217 (cherry picked from commit 530999b)
diff --git a/patchwork/api/project.py b/patchwork/api/project.py
@@ -30,9 +30,9 @@
 
 class ProjectSerializer(BaseHyperlinkedModelSerializer):
 
-    link_name = CharField(max_length=255, source='linkname')
-    list_id = CharField(max_length=255, source='listid')
-    list_email = CharField(max_length=200, source='listemail')
+    link_name = CharField(max_length=255, source='linkname', read_only=True)
+    list_id = CharField(max_length=255, source='listid', read_only=True)
+    list_email = CharField(max_length=200, source='listemail', read_only=True)
     maintainers = UserProfileSerializer(many=True, read_only=True,
                                         source='maintainer_project')
 
@@ -41,7 +41,8 @@ class Meta:
         fields = ('id', 'url', 'name', 'link_name', 'list_id', 'list_email',
                   'web_url', 'scm_url', 'webscm_url', 'maintainers',
                   'subject_match')
-        read_only_fields = ('name', 'maintainers', 'subject_match')
+        read_only_fields = ('name', 'link_name', 'list_id', 'list_email',
+                            'maintainers', 'subject_match')
         versioned_fields = {
             '1.1': ('subject_match', ),
         }
diff --git a/patchwork/tests/api/test_project.py b/patchwork/tests/api/test_project.py
@@ -143,7 +143,7 @@ def test_create(self):
     def test_update(self):
         """Ensure updates can be performed by maintainers."""
         project = create_project()
-        data = {'linkname': 'TEST'}
+        data = {'web_url': 'TEST'}
 
         # an anonymous user
         resp = self.client.patch(self.api_url(project.id), data)
@@ -160,6 +160,15 @@ def test_update(self):
         self.client.force_authenticate(user=user)
         resp = self.client.patch(self.api_url(project.id), data)
         self.assertEqual(status.HTTP_200_OK, resp.status_code)
+        self.assertEqual(resp.data['web_url'], 'TEST')
+
+        # ...with the exception of some read-only fields
+        resp = self.client.patch(self.api_url(project.id), {
+            'link_name': 'test'})
+        # NOTE(stephenfin): This actually returns HTTP 200 due to
+        # https://github.com/encode/django-rest-framework/issues/1655
+        self.assertEqual(status.HTTP_200_OK, resp.status_code)
+        self.assertNotEqual(resp.data['link_name'], 'test')
 
     def test_delete(self):
         """Ensure deletions are rejected."""
diff --git a/releasenotes/notes/issue-217-676f3f737e46320e.yaml b/releasenotes/notes/issue-217-676f3f737e46320e.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    A project's ``list_email``, ``list_id`` and ``link_name`` fields can no
+    longer be updated via the REST API. This is a superuser-only operation
+    that, for now, should only be done via the admin interface.
+    (`#217 <https://github.com/getpatchwork/patchwork/issues/217>`__)
