adapt note/thread permissions for creation (bug 879545)

* Also, add creation tests.

Author: dash1291

mkt/comm/api.py

@@ -3,25 +3,27 @@
 from django.db.models import Q
 from django.http import Http404
 
+import commonware.log
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.mixins import (CreateModelMixin, DestroyModelMixin,
                                    ListModelMixin, RetrieveModelMixin)
 from rest_framework.permissions import BasePermission
 from rest_framework.relations import HyperlinkedRelatedField, RelatedField
 from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import GenericViewSet
 
 from access import acl
 from comm.models import (CommunicationNote, CommunicationThread,
-                         CommunicationThreadCC)
+                         CommunicationThreadCC, CommunicationThreadToken)
 from mkt.api.authentication import (RestOAuthAuthentication,
                                     RestSharedSecretAuthentication)
+from mkt.api.base import CORSViewSet
 from mkt.webpay.forms import PrepareForm
 
+log = commonware.log.getLogger('mkt.comm')
+
 
 class NoteSerializer(ModelSerializer):
-    thread = HyperlinkedRelatedField(read_only=True,
-                                     view_name='comm-thread-detail')
+    thread = HyperlinkedRelatedField(view_name='comm-thread-detail')
     body = RelatedField('body')
 
     class Meta:
@@ -77,7 +79,6 @@ def has_object_permission(self, request, view, obj):
         Moreover, other object permissions are also checked agaisnt the ACLs
         of the user.
         """
-
         if not request.user.is_authenticated() or obj.read_permission_public:
             return obj.read_permission_public
 
@@ -86,6 +87,7 @@ def has_object_permission(self, request, view, obj):
             thread=obj)
         user_cc = CommunicationThreadCC.objects.filter(user=profile,
             thread=obj)
+
         if user_post.exists() or user_cc.exists():
             return True
 
@@ -114,18 +116,41 @@ def has_object_permission(self, request, view, obj):
 
 
 class NotePermission(ThreadPermission):
+
+    def has_permission(self, request, view):
+        if view.action == 'create':
+            if not request.user.is_authenticated():
+                return False
+
+            serializer = view.get_serializer(data=request.DATA)
+            if not serializer.is_valid():
+                return False
+
+            obj = serializer.object
+            # Check if author and user who created this request mismatch.
+            if obj.author.id != request.amo_user.id:
+                return False
+
+            # Determine permission to add the note based on the thread
+            # permission.
+            return ThreadPermission.has_object_permission(self,
+                request, view, obj.thread)
+
+        return True
+
     def has_object_permission(self, request, view, obj):
-        return super(ThreadPermission, self).has_object_permission(request,
-            view, obj.thread)
+        return ThreadPermission.has_object_permission(self, request, view,
+            obj.thread)
 
 
 class ThreadViewSet(ListModelMixin, RetrieveModelMixin, DestroyModelMixin,
-                    CreateModelMixin, GenericViewSet):
+                    CreateModelMixin, CORSViewSet):
     model = CommunicationThread
     serializer_class = ThreadSerializer
     authentication_classes = (RestOAuthAuthentication,
                               RestSharedSecretAuthentication)
     permission_classes = (ThreadPermission,)
+    cors_allowed_methods = ['get', 'post']
 
     def list(self, request):
         profile = request.amo_user
@@ -145,20 +170,31 @@ def list(self, request):
                 addon=form.cleaned_data['app'])
         else:
             # We list all the threads which uses an add-on authored by the
-            # user.
+            # user and with read permissions for add-on devs.
             notes, cc = list(notes), list(cc)
             addons = list(profile.addons.values_list('pk', flat=True))
+            q_dev = Q(addon__in=addons, read_permission_developer=True)
             queryset = CommunicationThread.objects.filter(
-                Q(pk__in=notes + cc) | Q(addon__in=addons))
+                Q(pk__in=notes + cc) | q_dev)
 
         self.queryset = queryset
         return ListModelMixin.list(self, request)
 
 
 class NoteViewSet(CreateModelMixin, RetrieveModelMixin, DestroyModelMixin,
-                  GenericViewSet):
+                  CORSViewSet):
     model = CommunicationNote
     serializer_class = NoteSerializer
     authentication_classes = (RestOAuthAuthentication,
                               RestSharedSecretAuthentication,)
     permission_classes = (NotePermission,)
+    cors_allowed_methods = ['get', 'post', 'delete']
+
+    def create(self, request):
+        res = CreateModelMixin.create(self, request)
+        if res.status_code == 201:
+            tok = CommunicationThreadToken.objects.create(
+                thread=self.object.thread, user=self.object.author)
+            log.info('Reply token with UUID %s created.' % (tok.uuid))
+
+        return res

mkt/comm/tests/test_api.py

@@ -1,13 +1,16 @@
+import json
+
 from django.core.urlresolvers import reverse
 
 from nose.tools import eq_
 from test_utils import RequestFactory
 
 from amo.tests import addon_factory
 from comm.models import (CommunicationNote, CommunicationThread,
-                         CommunicationThreadCC)
+                         CommunicationThreadCC, CommunicationThreadToken)
 from mkt.api.tests.test_oauth import RestOAuth
 from mkt.comm.api import ThreadPermission
+from mkt.constants import comm as const
 from mkt.site.fixtures import fixture
 from mkt.webapps.models import Webapp
 
@@ -93,6 +96,12 @@ def test_read_staff(self):
             read_permission_staff=True)
         assert self.check_permissions()
 
+    def test_cors_allowed(self):
+        thread = CommunicationThread.objects.create(addon=self.addon)
+        res = self.client.get(reverse('comm-thread-detail',
+                                      kwargs={'pk': thread.pk}))
+        self.assertCORS(res, 'get', 'post')
+
 
 class TestThreadList(RestOAuth):
     fixtures = fixture('webapp_337141', 'user_2519')
@@ -127,14 +136,27 @@ def test_addon_filter(self):
         res = self.client.get(self.list_url, {'app': '1000'})
         eq_(res.status_code, 404)
 
+    def test_creation(self):
+        thread = CommunicationThread.objects.create(addon=self.addon)
+        version = self.addon.current_version
+        res = self.client.post(self.list_url, data=json.dumps(
+            {'addon': self.addon.id, 'version': version.id}))
+
+        eq_(res.status_code, 201)
+
 
 class TestNote(RestOAuth):
-    fixtures = fixture('webapp_337141', 'user_2519')
+    fixtures = fixture('webapp_337141', 'user_2519', 'user_999')
 
     def setUp(self):
         super(TestNote, self).setUp()
         addon = Webapp.objects.get(pk=337141)
-        self.thread = CommunicationThread.objects.create(addon=addon)
+        self.list_url = reverse('comm-note-list')
+        self.thread = CommunicationThread.objects.create(addon=addon,
+            read_permission_developer=True)
+        self.thread_url = reverse('comm-thread-detail',
+                                  kwargs={'pk': self.thread.id})
+        self.profile.addonuser_set.create(addon=addon)
 
     def test_response(self):
         note = CommunicationNote.objects.create(author=self.profile,
@@ -143,3 +165,35 @@ def test_response(self):
                                       kwargs={'pk': note.id}))
         eq_(res.status_code, 200)
         eq_(res.json['body'], 'something')
+
+    def test_creation(self):
+        res = self.client.post(self.list_url, data=json.dumps(
+            {'thread': self.thread_url, 'author': self.profile.id,
+             'note_type': '0', 'body': 'something'}))
+        eq_(res.status_code, 201)
+        count = CommunicationThreadToken.objects.filter(
+            thread=self.thread, user=self.profile).count()
+        eq_(count, 1)
+
+    def test_creation_denied(self):
+        self.thread.read_permission_developer = False
+        self.thread.save()
+        res = self.client.post(self.list_url, data=json.dumps(
+            {'thread': self.thread_url, 'author': self.profile.id,
+             'note_type': '0', 'body': 'something'}))
+        eq_(res.status_code, 403)
+
+    def test_creation_by_diff_user_denied(self):
+        """
+        Test that the creation by specifying a different user as author fails.
+        """
+        self.thread.read_permission_developer = True
+        self.thread.save()
+        res = self.client.post(self.list_url, data=json.dumps(
+            {'thread': self.thread_url, 'author': '999',
+             'note_type': '0', 'body': 'something'}))
+        eq_(res.status_code, 403)
+
+    def test_cors_allowed(self):
+        res = self.client.get(self.list_url)
+        self.assertCORS(res, 'get', 'post', 'delete')