Merge pull request #59 from edx/pwnage101/update-user-key-for-deletion-endpoint

Update the expected user parameter from "user_id" to "user"

notesapi/v1/tests/test_views.py

@@ -518,7 +518,7 @@ class AnnotationListViewTests(BaseAnnotationViewTests):
         self.assertEqual(response["total"], 3)
 
         url = reverse('api:v1:annotations')
-        self.payload["user_id"] = user_id
+        self.payload["user"] = user_id
         # Delete all notes for User 1
         response = self.client.delete(url, headers=self.headers, data=self.payload)
         self.assertEqual(response.status_code, status.HTTP_200_OK)
@@ -532,16 +532,50 @@ class AnnotationListViewTests(BaseAnnotationViewTests):
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
     def test_delete_all_user_annotations_no_user(self):
-        # Delete for No User
+        """
+        Test case where no user is specified when user deletion is requested.
+
+        The result should be a 403 response, with the following logging:
+
+            notesapi.v1.permissions: INFO: No user was present to compare in GET, POST or DATA
+        """
+        self._create_annotation(text=u'Comment with foo', tags=[u'bar'])
+        self._create_annotation(text=u'Another comment', tags=[u'foo'])
+        self._create_annotation(text=u'A longer comment with bar', tags=[u'foo'])
+        response = self._get_search_results()
+        self.assertEqual(response["total"], 3)
+
         url = reverse('api:v1:annotations')
+        del self.payload['user']
         response = self.client.delete(url, headers=self.headers, data=self.payload)
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        # Verify no notes are deleted
+        response = self._get_search_results()
+        self.assertEqual(response["total"], 3)
 
     def test_delete_all_user_annotations_other_user(self):
+        """
+        Test the case where the user specified in params doesn't appear to match the one in the token.
+
+        In this case, the response should be 403 and logging should indicate some sort of token user mismatch failure:
+
+            notesapi.v1.permissions: DEBUG: Token user test_user_id did not match data user test_other_user_id
+        """
+        self._create_annotation(text=u'Comment with foo', tags=[u'bar'])
+        self._create_annotation(text=u'Another comment', tags=[u'foo'])
+        self._create_annotation(text=u'A longer comment with bar', tags=[u'foo'])
+        response = self._get_search_results()
+        self.assertEqual(response["total"], 3)
+
         url = reverse('api:v1:annotations')
-        self.payload["user_id"] = TEST_OTHER_USER
+        self.payload["user"] = TEST_OTHER_USER
         response = self.client.delete(url, headers=self.headers, data=self.payload)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        # Verify no notes are deleted
+        response = self._get_search_results()
+        self.assertEqual(response["total"], 3)
 
 
 @ddt.ddt

notesapi/v1/views.py

@@ -203,17 +203,30 @@ class AnnotationListView(GenericAPIView):
                 Each page in the list contains 25 annotations by default. The page
                 size can be altered by passing parameter "page_size=<page_size>".
 
-                Http400 is returned if the format of the request is not correct.
+                HTTP 400 Bad Request: The format of the request is not correct.
 
             * Create a new annotation for a user.
 
-                Http400 is returned if the format of the request is not correct.
+                HTTP 400 Bad Request: The format of the request is not correct, or the maximum number of notes for a
+                user has been reached.
+
+                HTTP 201 Created: Success.
+
+            * Delete all annotations for a user.
+
+                HTTP 400 Bad Request: The format of the request is not correct.
+
+                HTTP 200 OK: Either annotations from the user were deleted, or no annotations for the user were found.
 
         **Example Requests**
 
             GET /api/v1/annotations/?course_id={course_id}&user={user_id}
 
             POST /api/v1/annotations/
+            user={user_id}&course_id={course_id}&usage_id={usage_id}&ranges={ranges}&quote={quote}
+
+            DELETE /api/v1/annotations/
+            user={user_id}
 
         **Query Parameters for GET**
 
@@ -257,7 +270,7 @@ class AnnotationListView(GenericAPIView):
 
                 * updated: DateTime. When was the last time annotation was updated.
 
-        **Query Parameters for POST**
+        **Form-encoded data for POST**
 
             user, course_id, usage_id, ranges and quote fields must be provided.
 
@@ -282,6 +295,15 @@ class AnnotationListView(GenericAPIView):
             * created: DateTime. Creation datetime of annotation.
 
             * updated: DateTime. When was the last time annotation was updated.
+
+        **Form-encoded data for DELETE**
+
+            * user: Anonymized user id.
+
+        **Response Values for DELETE**
+
+            * no content.
+
     """
 
     serializer_class = NoteSerializer
@@ -350,14 +372,13 @@ class AnnotationListView(GenericAPIView):
 
     def delete(self, *args, **kwargs):  # pylint: disable=unused-argument
         """
-        Delete all annotations for user_id
-
+        Delete all annotations for a user.
         """
         params = self.request.data
-        if 'user_id' not in params:
+        if 'user' not in params:
             return Response(status=status.HTTP_400_BAD_REQUEST)
 
-        Note.objects.filter(user_id=params['user_id']).delete()
+        Note.objects.filter(user_id=params['user']).delete()
         return Response(status=status.HTTP_200_OK)