REST: Validate patch delegate

At present, only users who are maintainers of projects can be delegated
a project. Validate this. This is currently broken due to #216 but that
will be fixed in a future change.

Signed-off-by: Stephen Finucane <stephen@that.guru>
(cherry picked from commit b690746)

Author: stephenfin

patchwork/api/patch.py

@@ -25,6 +25,7 @@
 from rest_framework.relations import RelatedField
 from rest_framework.reverse import reverse
 from rest_framework.serializers import SerializerMethodField
+from rest_framework.serializers import ValidationError
 
 from patchwork.api.base import BaseHyperlinkedModelSerializer
 from patchwork.api.base import PatchworkPermission
@@ -113,6 +114,14 @@ def get_tags(self, instance):
         # model
         return {}
 
+    def validate_delegate(self, value):
+        """Check that the delgate is a maintainer of the patch's project."""
+        if not self.instance.project.maintainer_project.filter(
+                id=value.id).exists():
+            raise ValidationError("User '%s' is not a maintainer for project "
+                                  "'%s'" % (value, self.instance.project))
+        return value
+
     class Meta:
         model = Patch
         fields = ('id', 'url', 'web_url', 'project', 'msgid', 'date', 'name',

patchwork/tests/api/test_patch.py

@@ -218,12 +218,15 @@ def test_update(self):
         # maintainer
         user = create_maintainer(project)
         self.client.force_authenticate(user=user)
-        resp = self.client.patch(self.api_url(patch.id), {'state': state.name})
-        self.assertEqual(status.HTTP_200_OK, resp.status_code)
+        resp = self.client.patch(self.api_url(patch.id), {
+            'state': state.name, 'delegate': user.id})
+        self.assertEqual(status.HTTP_200_OK, resp.status_code, resp)
         self.assertEqual(Patch.objects.get(id=patch.id).state, state)
+        # TODO(stephenfin): This is currently broken due to #216
+        # self.assertEqual(Patch.objects.get(id=patch.id).delegate, user)
 
     def test_update_invalid(self):
-        """Ensure we handle invalid Patch states."""
+        """Ensure we handle invalid Patch updates."""
         project = create_project()
         state = create_state()
         patch = create_patch(project=project, state=state)
@@ -236,6 +239,15 @@ def test_update_invalid(self):
         self.assertContains(resp, 'Expected one of: %s.' % state.name,
                             status_code=status.HTTP_400_BAD_REQUEST)
 
+        # invalid delegate
+        user_b = create_user()
+        resp = self.client.patch(self.api_url(patch.id),
+                                 {'delegate': user_b.id})
+        # TODO(stephenfin): This is currently broken due to #216
+        # self.assertEqual(status.HTTP_400_BAD_REQUEST, resp.status_code)
+        # self.assertContains(resp, "User '%s' is not a maintainer" % user_b,
+        #                     status_code=status.HTTP_400_BAD_REQUEST)
+
     def test_delete(self):
         """Ensure deletions are always rejected."""
         project = create_project()