Merge pull request #480 from edx/tasawer/ecom-6336/ecom-6524/create-api-for-comment-edit

API for Comment Widget - Edit

course_discovery/apps/publisher_comments/api/permissions.py

+from rest_framework import permissions
+
+
+class IsOwner(permissions.BasePermission):
+    """
+    Custom permission to only allow owners of the object.
+    """
+    def has_object_permission(self, request, view, obj):
+        return obj.user == request.user

course_discovery/apps/publisher_comments/api/serializers.py

+from rest_framework import serializers
+from course_discovery.apps.publisher_comments.models import Comments
+
+
+class CommentSerializer(serializers.ModelSerializer):
+
+    class Meta:
+        model = Comments
+        fields = ('comment', )

course_discovery/apps/publisher_comments/api/tests/test_permissions.py

+from unittest import TestCase
+
+from rest_framework.request import Request
+from rest_framework.test import APIRequestFactory, force_authenticate
+
+from course_discovery.apps.core.tests.factories import UserFactory
+from course_discovery.apps.publisher_comments.api.permissions import IsOwner
+from course_discovery.apps.publisher_comments.tests.factories import CommentFactory
+
+
+class IsOwnerTests(TestCase):
+    def setUp(self):
+        super(IsOwnerTests, self).setUp()
+        self.permissions_class = IsOwner()
+        self.user = UserFactory.create()
+        self.comment = CommentFactory.create(user=self.user, comment='test comment')
+
+    def test_is_owner_permission(self):
+        """ If object.user matches request.user, return True. """
+
+        # users has access to their own objects
+        request = self._make_request(user=self.user, data={'comment': 'update_comment'})
+        self.assertTrue(self.permissions_class.has_object_permission(request, None, self.comment))
+
+        # users CANNOT have access to object of other users
+        user = UserFactory.create()
+        request = self._make_request(user=user, data={'username': 'other_guy'})
+        self.assertFalse(self.permissions_class.has_object_permission(request, None, self.comment))
+
+    def _make_request(self, user=None, data=None):
+        request = APIRequestFactory().put('/', data)
+
+        if user:
+            force_authenticate(request, user=user)
+
+        return Request(request)

course_discovery/apps/publisher_comments/api/tests/test_serializers.py

+from django.test import TestCase
+
+from course_discovery.apps.publisher_comments.api.serializers import CommentSerializer
+from course_discovery.apps.publisher_comments.tests.factories import CommentFactory
+
+
+class CommentSerializerTests(TestCase):
+
+    def test_data(self):
+        """ Verify that CommentsSerializer serialize the comment object. """
+        comment = CommentFactory.create(comment='test comment')
+        serializer = CommentSerializer(comment)
+        expected = {'comment': 'test comment'}
+        self.assertDictEqual(serializer.data, expected)

course_discovery/apps/publisher_comments/api/tests/test_views.py

+import json
+
+from django.test import TestCase
+from rest_framework.reverse import reverse
+
+from course_discovery.apps.core.tests.factories import UserFactory, USER_PASSWORD
+from course_discovery.apps.publisher.tests import JSON_CONTENT_TYPE
+from course_discovery.apps.publisher_comments.models import Comments
+from course_discovery.apps.publisher_comments.tests.factories import CommentFactory
+
+
+class UpdateCommentTests(TestCase):
+
+    def setUp(self):
+        super(UpdateCommentTests, self).setUp()
+
+        self.user = UserFactory.create()
+        self.comment = CommentFactory.create(user=self.user)
+        self.path = reverse('publisher_comments:api:comments', kwargs={'pk': self.comment.id})
+        self.data = {'comment': 'updated comment'}
+
+    def test_update(self):
+        """ Verify update endpoint allows to update 'comment'. """
+
+        self.client.login(username=self.user.username, password=USER_PASSWORD)
+        response = self.client.patch(self.path, json.dumps(self.data), JSON_CONTENT_TYPE)
+
+        comment = Comments.objects.get(id=self.comment.id)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(comment.comment, self.data['comment'])
+
+    def test_update_without_editing_permission(self):
+        """ Verify that non owner user of the comment can not edit. """
+        dummy_user = UserFactory.create()
+        self.client.login(username=dummy_user.username, password=USER_PASSWORD)
+
+        response = self.client.patch(self.path, json.dumps(self.data), JSON_CONTENT_TYPE)
+        self.assertEqual(response.status_code, 403)

course_discovery/apps/publisher_comments/api/urls.py

+""" Publisher comments API URLs. """
+from django.conf.urls import url
+
+from course_discovery.apps.publisher_comments.api import views
+
+urlpatterns = [
+    url(r'^comments/(?P<pk>\d+)/$', views.UpdateCommentView.as_view(), name='comments'),
+]

course_discovery/apps/publisher_comments/api/views.py

+from rest_framework.generics import UpdateAPIView
+from rest_framework.permissions import IsAuthenticated
+
+from course_discovery.apps.publisher_comments.api.permissions import IsOwner
+from course_discovery.apps.publisher_comments.api.serializers import CommentSerializer
+from course_discovery.apps.publisher_comments.models import Comments
+
+
+class UpdateCommentView(UpdateAPIView):
+    serializer_class = CommentSerializer
+    queryset = Comments.objects.all()
+    permission_classes = (IsAuthenticated, IsOwner)

course_discovery/apps/publisher_comments/urls.py

 """
-URLs for the course publisher views.
+URLs for the course publisher comments views.
 """
-from django.conf.urls import url
+from django.conf.urls import url, include
 
 from course_discovery.apps.publisher_comments import views
 
 urlpatterns = [
+    url(r'^api/', include('course_discovery.apps.publisher_comments.api.urls', namespace='api')),
     url(r'^(?P<pk>\d+)/edit/$', views.UpdateCommentView.as_view(), name='comment_edit'),
 ]