update "OrderViewSet" class

Staff users can filter orders on username ECOM-4550

update "OrderViewSet" class
Staff users can filter orders on username ECOM-4550
18cd4c93 · Tasawer Nawaz · Tasawer · fce9f674 · 18cd4c93 · 18cd4c93
Commit 18cd4c93 authored May 26, 2016 by Tasawer Nawaz Committed by Tasawer Jun 02, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 57 additions and 2 deletions

ecommerce/extensions/api/filters.py
+11 -0

ecommerce/extensions/api/v2/tests/views/test_orders.py
+35 -1

ecommerce/extensions/api/v2/views/orders.py
+11 -1

No files found.
--- a/ecommerce/extensions/api/filters.py
+++ b/ecommerce/extensions/api/filters.py
@@ -3,6 +3,7 @@ from django.db.models import Q

 from oscar.core.loading import get_model

+Order = get_model('order', 'Order')
 Product = get_model('catalogue', 'Product')


@@ -18,3 +19,13 @@ class ProductFilter(django_filters.FilterSet):
    class Meta(object):
        model = Product
        fields = ('product_class', 'structure', 'title',)
+
+
+class OrderFilter(django_filters.FilterSet):
+    """ Filter orders via query string parameter."""
+
+    username = django_filters.CharFilter(name='user__username')
+
+    class Meta(object):
+        model = Order
+        fields = ('username',)
--- a/ecommerce/extensions/api/v2/tests/views/test_orders.py
+++ b/ecommerce/extensions/api/v2/tests/views/test_orders.py
@@ -5,10 +5,11 @@ import httpretty
 import mock
 from django.contrib.auth.models import Permission
 from django.core.urlresolvers import reverse
-from django.test import override_settings
+from django.test import override_settings, RequestFactory
 from oscar.core.loading import get_model
 from oscar.test import factories

+from ecommerce.extensions.api.serializers import OrderSerializer
 from ecommerce.extensions.api.tests.test_authentication import AccessTokenMixin
 from ecommerce.extensions.api.v2.tests.views import OrderDetailViewTestMixin
 from ecommerce.extensions.fulfillment.signals import SHIPPING_EVENT_NAME
@@ -116,6 +117,39 @@ class OrderListViewTests(AccessTokenMixin, ThrottlingMixin, TestCase):
        self.assertEqual(content['results'][0]['user']['email'], admin_user.email)
        self.assertEqual(content['results'][0]['user']['username'], admin_user.username)

+    def test_username_filter_with_staff(self):
+        """ Verify the staff user can filter data by username."""
+
+        # create two orders for different users
+        order = factories.create_order(user=self.user)
+        other_user = self.create_user()
+        other_order = factories.create_order(user=other_user)
+
+        requester = self.create_user(is_staff=True)
+        self.client.login(email=requester.email, password=self.password)
+
+        self.assert_list_with_username_filter(self.user, order)
+        self.assert_list_with_username_filter(other_user, other_order)
+
+    def test_username_filter_with_non_staff(self):
+        """Non staff users are not allowed to filter on any other username."""
+        requester = self.create_user(is_staff=False)
+        self.client.login(username=requester.username, password=self.password)
+
+        response = self.client.get(self.path, {'username': self.user.username})
+        self.assertEqual(response.status_code, 403)
+
+    def assert_list_with_username_filter(self, user, order):
+        """ Helper method for making assertions. """
+
+        response = self.client.get(self.path, {'username': user.username})
+        self.assertEqual(response.status_code, 200)
+
+        self.assertEqual(
+            response.data['results'][0],
+            OrderSerializer(order, context={'request': RequestFactory(SERVER_NAME=self.site.domain).get('/')}).data
+        )
+

 @ddt.ddt
 @override_settings(ECOMMERCE_SERVICE_WORKER_USERNAME='test-service-user')

--- a/ecommerce/extensions/api/v2/views/orders.py
+++ b/ecommerce/extensions/api/v2/views/orders.py
@@ -2,16 +2,19 @@
 import logging

 from oscar.core.loading import get_model, get_class
-from rest_framework import status, viewsets
+from rest_framework import filters, status, viewsets
 from rest_framework.decorators import detail_route
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import IsAuthenticated, DjangoModelPermissions
 from rest_framework.response import Response

 from ecommerce.extensions.api import serializers
 from ecommerce.extensions.api.constants import APIConstants as AC
+from ecommerce.extensions.api.filters import OrderFilter
 from ecommerce.extensions.api.permissions import IsStaffOrOwner
 from ecommerce.extensions.api.throttles import ServiceUserThrottle

+
 logger = logging.getLogger(__name__)

 Order = get_model('order', 'Order')
@@ -23,13 +26,20 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
    queryset = Order.objects.all()
    serializer_class = serializers.OrderSerializer
    throttle_classes = (ServiceUserThrottle,)
+    filter_backends = (filters.DjangoFilterBackend,)
+    filter_class = OrderFilter

    def filter_queryset(self, queryset):
        queryset = super(OrderViewSet, self).filter_queryset(queryset)
+
+        username = self.request.query_params.get('username')
        user = self.request.user

        # Non-staff users should only see their own orders
        if not user.is_staff:
+            if username and user.username != username:
+                raise PermissionDenied
+
            queryset = queryset.filter(user=user)

        return queryset