@@ -16,9 +16,9 @@ from patchwork.models import Project
class ProjectSerializer(BaseHyperlinkedModelSerializer):
- link_name = CharField(max_length=255, source='linkname')
- list_id = CharField(max_length=255, source='listid')
- list_email = CharField(max_length=200, source='listemail')
+ link_name = CharField(max_length=255, source='linkname', read_only=True)
+ list_id = CharField(max_length=255, source='listid', read_only=True)
+ list_email = CharField(max_length=200, source='listemail', read_only=True)
maintainers = UserProfileSerializer(many=True, read_only=True,
source='maintainer_project')
@@ -27,7 +27,8 @@ class ProjectSerializer(BaseHyperlinkedModelSerializer):
fields = ('id', 'url', 'name', 'link_name', 'list_id', 'list_email',
'web_url', 'scm_url', 'webscm_url', 'maintainers',
'subject_match')
- read_only_fields = ('name', 'maintainers', 'subject_match')
+ read_only_fields = ('name', 'name', 'link_name', 'list_id',
+ 'list_email', 'maintainers', 'subject_match')
versioned_fields = {
'1.1': ('subject_match', ),
}
@@ -129,7 +129,7 @@ class TestProjectAPI(APITestCase):
def test_update(self):
"""Ensure updates can be performed by maintainers."""
project = create_project()
- data = {'linkname': 'TEST'}
+ data = {'web_url': 'TEST'}
# an anonymous user
resp = self.client.patch(self.api_url(project.id), data)
@@ -146,6 +146,15 @@ class TestProjectAPI(APITestCase):
self.client.force_authenticate(user=user)
resp = self.client.patch(self.api_url(project.id), data)
self.assertEqual(status.HTTP_200_OK, resp.status_code)
+ self.assertEqual(resp.data['web_url'], 'TEST')
+
+ # ...with the exception of some read-only fields
+ resp = self.client.patch(self.api_url(project.id), {
+ 'link_name': 'test'})
+ # NOTE(stephenfin): This actually returns HTTP 200 due to
+ # https://github.com/encode/django-rest-framework/issues/1655
+ self.assertEqual(status.HTTP_200_OK, resp.status_code)
+ self.assertNotEqual(resp.data['link_name'], 'test')
def test_delete(self):
"""Ensure deletions are rejected."""
new file mode 100644
@@ -0,0 +1,6 @@
+---
+fixes:
+ - |
+ A project's ``list_email``, ``list_id`` and ``link_name`` fields can no
+ longer be updated by via the REST API. This is a superuser-only operation
+ that, for now, should only be done via the admin interface.
These should only be configurable by superusers as invalid configuration can break things. Signed-off-by: Stephen Finucane <stephen@that.guru> --- This is a bug so I'm going to backport it as-is. --- patchwork/api/project.py | 9 +++++---- patchwork/tests/api/test_project.py | 11 ++++++++++- .../disable-project-fields-6412780e8de80e1c.yaml | 6 ++++++ 3 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/disable-project-fields-6412780e8de80e1c.yaml