Skip to content

[ENG-7810] improve action requests creation #11109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 2, 2025
Merged

[ENG-7810] improve action requests creation #11109

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion api/actions/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,6 @@ def get_serializer_class(self):
return ReviewActionSerializer

def get_object(self):
action = None
action_id = self.kwargs['action_id']

if NodeRequestAction.objects.filter(_id=action_id).exists() or PreprintRequestAction.objects.filter(_id=action_id).exists():
Expand Down Expand Up @@ -169,6 +168,9 @@ class ReviewActionListCreate(JSONAPIBaseView, generics.ListCreateAPIView, Target
# overrides ListCreateAPIView
def perform_create(self, serializer):
target = serializer.validated_data['target']
if not target:
raise NotFound(f'Unable to find specified Action {target}')

self.check_object_permissions(self.request, target)

if not target.provider.is_reviewed:
Expand Down
111 changes: 101 additions & 10 deletions api_tests/actions/views/test_action_list.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,54 +57,106 @@ def moderator(self, provider):
moderator.groups.add(provider.get_group('moderator'))
return moderator

def test_create_permissions(
self, app, url, preprint, node_admin, moderator
):
def test_create_permissions_unauthorized(self, app, url, preprint, node_admin, moderator):
assert preprint.machine_state == 'initial'

submit_payload = self.create_payload(preprint._id, trigger='submit')
submit_payload = self.create_payload(
preprint._id,
trigger='submit'
)

# Unauthorized user can't submit
res = app.post_json_api(url, submit_payload, expect_errors=True)
res = app.post_json_api(
url,
submit_payload,
expect_errors=True
)
assert res.status_code == 401

def test_create_permissions_forbidden(self, app, url, preprint, node_admin, moderator):
assert preprint.machine_state == 'initial'

submit_payload = self.create_payload(
preprint._id,
trigger='submit'
)

# A random user can't submit
some_rando = AuthUserFactory()
res = app.post_json_api(
url, submit_payload,
url,
submit_payload,
auth=some_rando.auth,
expect_errors=True
)
assert res.status_code == 403

def test_create_permissions_success(self, app, url, preprint, node_admin, moderator):
assert preprint.machine_state == 'initial'

submit_payload = self.create_payload(
preprint._id,
trigger='submit'
)

# Node admin can submit
res = app.post_json_api(url, submit_payload, auth=node_admin.auth)
res = app.post_json_api(
url,
submit_payload,
auth=node_admin.auth
)
assert res.status_code == 201
preprint.refresh_from_db()
assert preprint.machine_state == 'pending'
assert not preprint.is_published

def test_accept_permissions_unauthorized(self, app, url, preprint, node_admin, moderator):
preprint.machine_state = 'pending'
preprint.save()
assert preprint.machine_state == 'pending'

accept_payload = self.create_payload(
preprint._id, trigger='accept', comment='This is good.'
preprint._id,
trigger='accept',
comment='This is good.'
)

# Unauthorized user can't accept
res = app.post_json_api(url, accept_payload, expect_errors=True)
assert res.status_code == 401

def test_accept_permissions_forbidden(self, app, url, preprint, node_admin, moderator):
preprint.machine_state = 'pending'
preprint.save()
assert preprint.machine_state == 'pending'

accept_payload = self.create_payload(
preprint._id,
trigger='accept',
comment='This is good.'
)

some_rando = AuthUserFactory()

# A random user can't accept
res = app.post_json_api(
url, accept_payload,
url,
accept_payload,
auth=some_rando.auth,
expect_errors=True
)
assert res.status_code == 403

# Moderator from another provider can't accept
def test_accept_permissions_other_mod(self, app, url, preprint, node_admin, moderator):
another_moderator = AuthUserFactory()
another_moderator.groups.add(
PreprintProviderFactory().get_group('moderator')
)
accept_payload = self.create_payload(
preprint._id,
trigger='accept',
comment='This is good.'
)
res = app.post_json_api(
url, accept_payload,
auth=another_moderator.auth,
Expand All @@ -120,6 +172,15 @@ def test_create_permissions(
)
assert res.status_code == 403

def test_accept_permissions_accept(self, app, url, preprint, node_admin, moderator):
preprint.machine_state = 'pending'
preprint.save()
accept_payload = self.create_payload(
preprint._id,
trigger='accept',
comment='This is good.'
)

# Still unchanged after all those tries
preprint.refresh_from_db()
assert preprint.machine_state == 'pending'
Expand Down Expand Up @@ -275,3 +336,33 @@ def test_valid_transitions(
assert preprint.date_last_transitioned is None
else:
assert preprint.date_last_transitioned == action.created

def test_invalid_target_id(self, app, moderator):
"""
This test simulates the issue reported where using either an invalid
action ID or an unrelated node ID as the target ID results in a 502 error.

It attempts to create a review action with a bad `target.id`.
"""
res = app.post_json_api(
f'/{API_BASE}actions/reviews/',
{
'data': {
'type': 'actions',
'attributes': {
'trigger': 'submit'
},
'relationships': {
'target': {
'data': {
'type': 'preprints',
'id': 'deadbeef1234'
}
}
}
}
},
auth=moderator.auth,
expect_errors=True
)
assert res.status_code == 404
Loading