Move review POST endpoint to review section (#473)

* Move review POST endpoint to review section

* Minor changes for consistency

Author: PGijsbers

src/routers/resource_router.py

@@ -150,14 +150,6 @@ def create(self, url_prefix: str) -> APIRouter:
             description=f"Retract a {self.resource_name}, setting its status to 'draft'.",
             **default_kwargs,
         )
-        router.add_api_route(
-            path=f"{url_prefix}/{self.resource_name_plural}/review/{version}",
-            methods={"POST"},
-            endpoint=self.get_review_func(),
-            name=self.resource_name,
-            description=f"Review a {self.resource_name}. Only for reviewers.",
-            **default_kwargs,
-        )
         router.add_api_route(
             path=f"{url_prefix}/{self.resource_name_plural}/{version}",
             methods={"POST"},
@@ -624,71 +616,6 @@ def retract_resource(
 
         return retract_resource
 
-    def get_review_func(self):
-        """Return a function that can be used to review a single resource."""
-
-        def review_resource(
-            review: ReviewCreate,
-            user: KeycloakUser = Depends(get_user_or_raise),
-        ):
-            if "reviewer" not in user.roles:
-                raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
-                    detail="You must have reviewing privileges to use this endpoint.",
-                )
-
-            with DbSession() as session:
-                query = select(Submission).where(
-                    Submission.identifier == review.submission_identifier
-                )
-                submission = session.scalars(query).first()
-                if submission is None:
-                    raise HTTPException(
-                        status_code=status.HTTP_400_BAD_REQUEST,
-                        detail=f"No review with identifier {review.submission_identifier} found.",
-                    )
-                if not submission.is_pending:
-                    raise HTTPException(
-                        status_code=status.HTTP_400_BAD_REQUEST,
-                        detail="Review is no longer pending, no new decision may be made.",
-                    )
-                register_user(user, session)
-
-                resource = self._retrieve_resource(
-                    identifier=submission.aiod_entry_identifier,
-                    session=session,
-                    is_entry_identifier=True,
-                )  # type: ignore
-                if user_can_administer(user, resource.aiod_entry):
-                    raise HTTPException(
-                        status_code=status.HTTP_403_FORBIDDEN,
-                        detail="You do not have permission to review your own assets.",
-                    )
-
-                if review.decision == Decision.ACCEPTED:
-                    new_status = EntryStatus.PUBLISHED
-                else:
-                    new_status = EntryStatus.DRAFT
-                resource.aiod_entry.status = new_status
-
-                review = Review(
-                    reviewer_identifier=user._subject_identifier,
-                    comment=review.comment,
-                    decision=review.decision,
-                    submission_identifier=submission.identifier,
-                )
-                session.add(review)
-                session.commit()
-                return self._wrap_with_headers(
-                    {
-                        "review_identifier": review.identifier,
-                        "submission_identifier": submission.identifier,
-                        "decision": review.decision,
-                    }
-                )
-
-        return review_resource
-
     def _retrieve_resource(
         self,
         session: Session,

src/routers/review_router.py

@@ -1,12 +1,23 @@
 import enum
 from http import HTTPStatus
-from typing import Sequence, Literal
+from typing import Sequence, Literal, cast
 
 from fastapi import APIRouter, HTTPException, Depends
-from sqlmodel import select
+from sqlmodel import select, Session
+from starlette import status
 
+from authentication import KeycloakUser, get_user_or_raise
+from database.authorization import register_user, user_can_administer
 from database.session import DbSession, get_session
-from database.review import Submission, Review, SubmissionView, SubmissionBase
+from database.review import (
+    Submission,
+    Review,
+    SubmissionView,
+    SubmissionBase,
+    ReviewCreate,
+    Decision,
+)
+from database.model.concept.aiod_entry import EntryStatus, AIoDEntryORM
 
 
 def create(url_prefix: str) -> APIRouter:
@@ -27,6 +38,13 @@ def create(url_prefix: str) -> APIRouter:
         response_model=SubmissionView,
     )(get_submission)
 
+    router.post(
+        f"{url_prefix}/reviews/{version}",
+        tags=["Reviewing"],
+        description="Review an asset.",
+        response_model=Review,
+    )(_review_resource)
+
     # Add MiddleWare which requires authentication as reviewer role
     return router
 
@@ -82,3 +100,51 @@ def get_submission(identifier: int, session=Depends(get_session)) -> Submission:
         status_code=HTTPStatus.NOT_FOUND,
         detail=f"No submission with identifier {identifier} found.",
     )
+
+
+def _review_resource(
+    review: ReviewCreate,
+    user: KeycloakUser = Depends(get_user_or_raise),
+    session: Session = Depends(get_session),
+):
+    if "reviewer" not in user.roles:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="You must have reviewing privileges to use this endpoint.",
+        )
+
+    submission = session.get(Submission, review.submission_identifier)
+    if submission is None:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"No review with identifier {review.submission_identifier} found.",
+        )
+    if not submission.is_pending:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Review is no longer pending, no new decision may be made.",
+        )
+    register_user(user, session)
+
+    aiod_entry = cast(AIoDEntryORM, session.get(AIoDEntryORM, submission.aiod_entry_identifier))
+    if user_can_administer(user, aiod_entry):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="You do not have permission to review your own assets.",
+        )
+
+    if review.decision == Decision.ACCEPTED:
+        new_status = EntryStatus.PUBLISHED
+    else:
+        new_status = EntryStatus.DRAFT
+    aiod_entry.status = new_status
+
+    review = Review(
+        reviewer_identifier=user._subject_identifier,
+        comment=review.comment,
+        decision=review.decision,
+        submission_identifier=submission.identifier,
+    )
+    session.add(review)
+    session.commit()
+    return review

src/tests/authorization/test_authorization.py

@@ -345,7 +345,7 @@ def test_only_reviewer_can_approve_submission(publication, client):
 
     with logged_in_user(ALICE):
         response = client.post(
-            "/publications/review/v1",
+            "/reviews/v1",
             content=str(
                 ReviewCreate(decision=Decision.ACCEPTED, submission_identifier=1, comment="").json()
             ),
@@ -355,7 +355,7 @@ def test_only_reviewer_can_approve_submission(publication, client):
 
     with logged_in_user(REVIEWER):
         response = client.post(
-            "/publications/review/v1",
+            "/reviews/v1",
             content=str(
                 ReviewCreate(decision=Decision.ACCEPTED, submission_identifier=1, comment="").json()
             ),
@@ -374,7 +374,7 @@ def test_reviewer_can_reject_submission(publication, client):
 
     with logged_in_user(REVIEWER):
         response = client.post(
-            "/publications/review/v1",
+            "/reviews/v1",
             content=str(
                 ReviewCreate(decision=Decision.REJECTED, submission_identifier=1, comment="").json()
             ),
@@ -393,7 +393,7 @@ def test_reviewer_cannot_approve_own_submission(publication, client):
 
     with logged_in_user(REVIEWER):
         response = client.post(
-            "/publications/review/v1",
+            "/reviews/v1",
             content=str(
                 ReviewCreate(decision=Decision.ACCEPTED, submission_identifier=1, comment="").json()
             ),