feat: Implement locking a session feature by organizer (#5931)

adds a migration file for adding is_locked attribute to session Adds a check to raise error is locked session is edited Updates source to forbidden exception check to ensure is_locked can be updated only by admin/organizer
fossasia · May 27, 2019 · 2ccffb4 · 2ccffb4
1 parent 0f0864e
commit 2ccffb4
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 3 deletions.
diff --git a/app/api/schema/sessions.py b/app/api/schema/sessions.py
@@ -86,6 +86,7 @@ def validate_date(self, data, original_data):
     deleted_at = fields.DateTime(dump_only=True)
     submitted_at = fields.DateTime(allow_none=True)
     is_mail_sent = fields.Boolean()
+    is_locked = fields.Boolean(default=False)
     last_modified_at = fields.DateTime(dump_only=True)
     send_email = fields.Boolean(load_only=True, allow_none=True)
     average_rating = fields.Float(dump_only=True)

diff --git a/app/api/sessions.py b/app/api/sessions.py
@@ -7,6 +7,7 @@
 from app.api.helpers.mail import send_email_new_session, send_email_session_accept_reject
 from app.api.helpers.notification import send_notif_new_session_organizer, send_notif_session_accept_reject
 from app.api.helpers.permissions import current_identity
+from app.api.helpers.permission_manager import has_access
 from app.api.helpers.query import event_query
 from app.api.helpers.utilities import require_relationship
 from app.api.schema.sessions import SessionSchema
@@ -130,6 +131,22 @@ def before_get_object(self, view_kwargs):
             event = safe_query(self, Event, 'identifier', view_kwargs['event_identifier'], 'identifier')
             view_kwargs['event_id'] = event.id
 
+    def before_update_object(self, session, data, view_kwargs):
+        """
+        before update method to verify if session is locked before updating session object
+        :param event:
+        :param data:
+        :param view_kwargs:
+        :return:
+        """
+        if data.get('is_locked') != session.is_locked:
+            if not (has_access('is_admin') or has_access('is_organizer')):
+                raise ForbiddenException({'source': '/data/attributes/is-locked'},
+                                         "You don't have enough permissions to change this property")
+
+        if session.is_locked and data.get('is_locked') == session.is_locked:
+            raise ForbiddenException({'source': '/data/attributes/is-locked'}, "Locked sessions cannot be edited")
+
     def after_update_object(self, session, data, view_kwargs):
         """ Send email if session accepted or rejected """
 
@@ -181,8 +198,11 @@ def after_update_object(self, session, data, view_kwargs):
     schema = SessionSchema
     data_layer = {'session': db.session,
                   'model': Session,
-                  'methods': {'before_get_object': before_get_object,
-                              'after_update_object': after_update_object}}
+                  'methods': {
+                      'before_update_object': before_update_object,
+                      'before_get_object': before_get_object,
+                      'after_update_object': after_update_object
+                  }}
 
 
 class SessionRelationshipRequired(ResourceRelationship):

diff --git a/app/models/session.py b/app/models/session.py
@@ -53,6 +53,7 @@ class Session(SoftDeletionModel):
     is_mail_sent = db.Column(db.Boolean, default=False)
     last_modified_at = db.Column(db.DateTime(timezone=True), default=datetime.datetime.utcnow)
     send_email = db.Column(db.Boolean, nullable=True)
+    is_locked = db.Column(db.Boolean, default=False, nullable=False)
 
     def __init__(self,
                  title=None,
@@ -81,7 +82,8 @@ def __init__(self,
                  deleted_at=None,
                  submitted_at=None,
                  last_modified_at=None,
-                 send_email=None):
+                 send_email=None,
+                 is_locked=False):
 
         if speakers is None:
             speakers = []
@@ -113,6 +115,7 @@ def __init__(self,
         self.submission_modifier = submission_modifier
         self.last_modified_at = datetime.datetime.now(pytz.utc)
         self.send_email = send_email
+        self.is_locked = is_locked
 
     @staticmethod
     def get_service_name():

diff --git a/migrations/versions/b3bfa7949acf_.py b/migrations/versions/b3bfa7949acf_.py
@@ -0,0 +1,30 @@
+"""empty message
+
+Revision ID: b3bfa7949acf
+Revises: 6f7b6fad3f55
+Create Date: 2019-05-20 04:52:51.103580
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+import sqlalchemy_utils
+
+
+# revision identifiers, used by Alembic.
+revision = 'b3bfa7949acf'
+down_revision = '6f7b6fad3f55'
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('sessions', sa.Column('is_locked', sa.Boolean(), server_default='False', nullable=False))
+    op.add_column('sessions_version', sa.Column('is_locked', sa.Boolean(), server_default='False', nullable=False))
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('sessions_version', 'is_locked')
+    op.drop_column('sessions', 'is_locked')
+    # ### end Alembic commands ###