Skip to content

E
ecommerce
Commit 18cd4c93 by Tasawer Nawaz Committed by Tasawer
Options

update "OrderViewSet" class 

Staff users can filter orders on username
ECOM-4550
parent fce9f674
Showing with 57 additions and 2 deletions
ecommerce/extensions/api/filters.py
...@@ -3,6 +3,7 @@ from django.db.models import Q ...@@ -3,6 +3,7 @@ from django.db.models import Q
from oscar.core.loading import get_model from oscar.core.loading import get_model
Order = get_model('order', 'Order')
Product = get_model('catalogue', 'Product') Product = get_model('catalogue', 'Product')
...@@ -18,3 +19,13 @@ class ProductFilter(django_filters.FilterSet): ...@@ -18,3 +19,13 @@ class ProductFilter(django_filters.FilterSet):
class Meta(object): class Meta(object):
model = Product model = Product
fields = ('product_class', 'structure', 'title',) fields = ('product_class', 'structure', 'title',)
class OrderFilter(django_filters.FilterSet):
""" Filter orders via query string parameter."""
username = django_filters.CharFilter(name='user__username')
class Meta(object):
model = Order
fields = ('username',)
ecommerce/extensions/api/v2/tests/views/test_orders.py
...@@ -5,10 +5,11 @@ import httpretty ...@@ -5,10 +5,11 @@ import httpretty
import mock import mock
from django.contrib.auth.models import Permission from django.contrib.auth.models import Permission
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.test import override_settings from django.test import override_settings, RequestFactory
from oscar.core.loading import get_model from oscar.core.loading import get_model
from oscar.test import factories from oscar.test import factories
from ecommerce.extensions.api.serializers import OrderSerializer
from ecommerce.extensions.api.tests.test_authentication import AccessTokenMixin from ecommerce.extensions.api.tests.test_authentication import AccessTokenMixin
from ecommerce.extensions.api.v2.tests.views import OrderDetailViewTestMixin from ecommerce.extensions.api.v2.tests.views import OrderDetailViewTestMixin
from ecommerce.extensions.fulfillment.signals import SHIPPING_EVENT_NAME from ecommerce.extensions.fulfillment.signals import SHIPPING_EVENT_NAME
...@@ -116,6 +117,39 @@ class OrderListViewTests(AccessTokenMixin, ThrottlingMixin, TestCase): ...@@ -116,6 +117,39 @@ class OrderListViewTests(AccessTokenMixin, ThrottlingMixin, TestCase):
self.assertEqual(content['results'][0]['user']['email'], admin_user.email) self.assertEqual(content['results'][0]['user']['email'], admin_user.email)
self.assertEqual(content['results'][0]['user']['username'], admin_user.username) self.assertEqual(content['results'][0]['user']['username'], admin_user.username)
def test_username_filter_with_staff(self):
""" Verify the staff user can filter data by username."""
# create two orders for different users
order = factories.create_order(user=self.user)
other_user = self.create_user()
other_order = factories.create_order(user=other_user)
requester = self.create_user(is_staff=True)
self.client.login(email=requester.email, password=self.password)
self.assert_list_with_username_filter(self.user, order)
self.assert_list_with_username_filter(other_user, other_order)
def test_username_filter_with_non_staff(self):
"""Non staff users are not allowed to filter on any other username."""
requester = self.create_user(is_staff=False)
self.client.login(username=requester.username, password=self.password)
response = self.client.get(self.path, {'username': self.user.username})
self.assertEqual(response.status_code, 403)
def assert_list_with_username_filter(self, user, order):
""" Helper method for making assertions. """
response = self.client.get(self.path, {'username': user.username})
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data['results'][0],
OrderSerializer(order, context={'request': RequestFactory(SERVER_NAME=self.site.domain).get('/')}).data
)
@ddt.ddt @ddt.ddt
@override_settings(ECOMMERCE_SERVICE_WORKER_USERNAME='test-service-user') @override_settings(ECOMMERCE_SERVICE_WORKER_USERNAME='test-service-user')
......
ecommerce/extensions/api/v2/views/orders.py
...@@ -2,16 +2,19 @@ ...@@ -2,16 +2,19 @@
import logging import logging
from oscar.core.loading import get_model, get_class from oscar.core.loading import get_model, get_class
from rest_framework import status, viewsets from rest_framework import filters, status, viewsets
from rest_framework.decorators import detail_route from rest_framework.decorators import detail_route
from rest_framework.exceptions import PermissionDenied
from rest_framework.permissions import IsAuthenticated, DjangoModelPermissions from rest_framework.permissions import IsAuthenticated, DjangoModelPermissions
from rest_framework.response import Response from rest_framework.response import Response
from ecommerce.extensions.api import serializers from ecommerce.extensions.api import serializers
from ecommerce.extensions.api.constants import APIConstants as AC from ecommerce.extensions.api.constants import APIConstants as AC
from ecommerce.extensions.api.filters import OrderFilter
from ecommerce.extensions.api.permissions import IsStaffOrOwner from ecommerce.extensions.api.permissions import IsStaffOrOwner
from ecommerce.extensions.api.throttles import ServiceUserThrottle from ecommerce.extensions.api.throttles import ServiceUserThrottle
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
Order = get_model('order', 'Order') Order = get_model('order', 'Order')
...@@ -23,13 +26,20 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet): ...@@ -23,13 +26,20 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
queryset = Order.objects.all() queryset = Order.objects.all()
serializer_class = serializers.OrderSerializer serializer_class = serializers.OrderSerializer
throttle_classes = (ServiceUserThrottle,) throttle_classes = (ServiceUserThrottle,)
filter_backends = (filters.DjangoFilterBackend,)
filter_class = OrderFilter
def filter_queryset(self, queryset): def filter_queryset(self, queryset):
queryset = super(OrderViewSet, self).filter_queryset(queryset) queryset = super(OrderViewSet, self).filter_queryset(queryset)
username = self.request.query_params.get('username')
user = self.request.user user = self.request.user
# Non-staff users should only see their own orders # Non-staff users should only see their own orders
if not user.is_staff: if not user.is_staff:
if username and user.username != username:
raise PermissionDenied
queryset = queryset.filter(user=user) queryset = queryset.filter(user=user)
return queryset return queryset
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment