Merge pull request #297 from openedx/ammar/make-endpoints-readonly

fix: make endpoints readonly
openedx · Apr 18, 2022 · 0953e8b · 0953e8b
2 parents 3249c23 + 85f8ed2
commit 0953e8b
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 7 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -15,6 +15,10 @@ Unreleased
 ----------
 
 =========================
+[4.2.4] - 2022-04-18
+---------------------
+  * Make API endpoints readonly.
+
 [4.2.3] - 2022-03-16
 ---------------------
   * Remove error handling for rate limit exceptions for data API calls

diff --git a/enterprise_data/__init__.py b/enterprise_data/__init__.py
@@ -2,6 +2,6 @@
 Enterprise data api application. This Django app exposes API endpoints used by enterprises.
 """
 
-__version__ = "4.2.3"
+__version__ = "4.2.4"
 
 default_app_config = "enterprise_data.apps.EnterpriseDataAppConfig"  # pylint: disable=invalid-name
diff --git a/enterprise_data/api/v0/views.py b/enterprise_data/api/v0/views.py
@@ -61,7 +61,7 @@ def paginate_queryset(self, queryset):
         return super().paginate_queryset(queryset)  # pylint: disable=no-member
 
 
-class EnterpriseEnrollmentsViewSet(EnterpriseViewSet, viewsets.ModelViewSet):
+class EnterpriseEnrollmentsViewSet(EnterpriseViewSet, viewsets.ReadOnlyModelViewSet):
     """
     Viewset for routes related to Enterprise course enrollments.
     """
@@ -232,7 +232,7 @@ def overview(self, request, **kwargs):
         return Response(content)
 
 
-class EnterpriseUsersViewSet(EnterpriseViewSet, viewsets.ModelViewSet):
+class EnterpriseUsersViewSet(EnterpriseViewSet, viewsets.ReadOnlyModelViewSet):
     """
     Viewset for routes related to Enterprise users.
     """
@@ -330,7 +330,7 @@ def list(self, request, **kwargs):  # pylint: disable=arguments-differ
         return Response(serializer.data)
 
 
-class EnterpriseLearnerCompletedCoursesViewSet(EnterpriseViewSet, viewsets.ModelViewSet):
+class EnterpriseLearnerCompletedCoursesViewSet(EnterpriseViewSet, viewsets.ReadOnlyModelViewSet):
     """
     View to manage enterprise learner completed course enrollments.
     """

diff --git a/enterprise_data/api/v1/views.py b/enterprise_data/api/v1/views.py
@@ -56,7 +56,7 @@ def paginate_queryset(self, queryset):
         return super().paginate_queryset(queryset)  # pylint: disable=no-member
 
 
-class EnterpriseLearnerEnrollmentViewSet(EnterpriseViewSet, viewsets.ModelViewSet):
+class EnterpriseLearnerEnrollmentViewSet(EnterpriseViewSet, viewsets.ReadOnlyModelViewSet):
     """
     Viewset for routes related to Enterprise course enrollments.
     """
@@ -250,7 +250,7 @@ def overview(self, request, **kwargs):
         return Response(content)
 
 
-class EnterpriseLearnerViewSet(EnterpriseViewSet, viewsets.ModelViewSet):
+class EnterpriseLearnerViewSet(EnterpriseViewSet, viewsets.ReadOnlyModelViewSet):
     """
     Viewset for routes related to Enterprise Learners.
     """
@@ -355,7 +355,7 @@ def list(self, request, **kwargs):  # pylint: disable=arguments-differ
         return Response(serializer.data)
 
 
-class EnterpriseLearnerCompletedCoursesViewSet(EnterpriseViewSet, viewsets.ModelViewSet):
+class EnterpriseLearnerCompletedCoursesViewSet(EnterpriseViewSet, viewsets.ReadOnlyModelViewSet):
     """
     View to manage enterprise learner completed course enrollments.
     """

diff --git a/enterprise_data/tests/test_views.py b/enterprise_data/tests/test_views.py
@@ -66,6 +66,11 @@ def tearDown(self):
         EnterpriseUser.objects.all().delete()
         EnterpriseEnrollment.objects.all().delete()
 
+    def test_options_request(self):
+        url = reverse('v0:enterprise-enrollments-list', kwargs={'enterprise_id': self.enterprise_id})
+        response = self.client.options(url)
+        assert response.headers['Allow'] == 'GET, HEAD, OPTIONS'
+
     @staticmethod
     def _get_enrollments_expected_data(enrollments):
         """
@@ -881,6 +886,11 @@ def tearDown(self):
         EnterpriseUser.objects.all().delete()
         EnterpriseEnrollment.objects.all().delete()
 
+    def test_options_request(self):
+        url = reverse('v0:enterprise-users-list', kwargs={'enterprise_id': self.enterprise_id})
+        response = self.client.options(url)
+        assert response.headers['Allow'] == 'GET, HEAD, OPTIONS'
+
     def test_viewset_no_query_params(self):
         """
         EnterpriseUserViewset should return all users if no filtering query
@@ -1409,6 +1419,11 @@ def tearDown(self):
         EnterpriseUser.objects.all().delete()
         EnterpriseEnrollment.objects.all().delete()
 
+    def test_options_request(self):
+        url = reverse('v0:enterprise-learner-completed-courses-list', kwargs={'enterprise_id': self.enterprise_id})
+        response = self.client.options(url)
+        assert response.headers['Allow'] == 'GET, HEAD, OPTIONS'
+
     def test_get_learner_completed_courses(self):
         """
         Test that we get correct number of courses completed by a learner.