Commit 0e2551fe authored by adietmue's avatar adietmue
Browse files

Protect course->lecture and signup->nethz from patching

parent 3bce48b6
......@@ -7,7 +7,7 @@ from os import getcwd
from eve import Eve
from flask import Config
from auth import APIAuth, APIValidator, only_own_signups
from security import APIAuth, APIValidator, only_own_signups
def create_app(settings=None):
......
......@@ -144,3 +144,8 @@ class APIValidator(Validator):
self._error(field, "value already exists in the database in " +
"combination with values for: %s" %
unique_combination)
def _validate_not_patchable(self, enabled, field, value):
"""Inhibit patching of the field, copied from AMIVAPI."""
if enabled and (request.method == 'PATCH'):
self._error(field, "this field can not be changed with PATCH")
......@@ -90,6 +90,7 @@ DOMAIN = {
'field': '_id',
'embeddable': True
},
'not_patchable': True, # Course is tied to lecture
},
'assistant': {
'type': 'objectid',
......@@ -132,6 +133,7 @@ DOMAIN = {
'nullable': False,
'required': True,
'only_own_nethz': True,
'not_patchable': True, # Signup is tied to user
},
'course': {
'type': 'objectid',
......
"""Tests for basic requests to all resources."""
from flask import g
......@@ -86,3 +85,35 @@ def test_no_double_signup(app):
_signup(first, 422)
# Sign up to other courses still fine
_signup(second, 201)
def test_no_patch(app):
"""Test that certain fields cannot be changed.
These are: Course->lecture and signup->nethz
"""
no_patch_error = "this field can not be changed with PATCH"
with app.test_request_context():
# Fake a admin user
g.user = 'Not None :)'
g.admin = True
headers = {'Authorization': 'Token Trolololo', 'If-Match': 'tag'}
# Create fake resources, make sure to set _etag so we can patch
course = str(app.data.driver.db['courses'].insert({'_etag': 'tag'}))
signup = str(app.data.driver.db['signups'].insert({'_etag': 'tag'}))
# Make sure that the objectid of patch data is valid
new_lecture = str(app.data.driver.db['lectures'].insert({}))
course_url = '/courses/' + course
signup_url = '/signups/' + signup
response = app.client.patch(course_url, headers=headers,
data={'lecture': new_lecture},
assert_status=422)
assert response["_issues"]["lecture"] == no_patch_error
response = app.client.patch(signup_url, headers=headers,
data={'nethz': 'lalala'},
assert_status=422)
assert response["_issues"]["nethz"] == no_patch_error
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment