feat: Allow user defaluting on the course-archive-status-detail api.

feanil · feanil · commit 13a4be6fb217 · 2025-08-20T12:34:09.000-04:00
If the client does not send a user id on create, default to the current
user for the creating of an archive status row.

Add relevant tests and also update some formatting issue(wish I had done
that separately but I can't easly undo it.)
diff --git a/backend/sample_plugin/serializers.py b/backend/sample_plugin/serializers.py
@@ -2,16 +2,25 @@
 Serializers for the sample_plugin app.
 """
 
+from django.contrib.auth import get_user_model
 from rest_framework import serializers
 
 from sample_plugin.models import CourseArchiveStatus
 
+User = get_user_model()
+
 
 class CourseArchiveStatusSerializer(serializers.ModelSerializer):
     """
     Serializer for the CourseArchiveStatus model.
     """
 
+    user = serializers.PrimaryKeyRelatedField(
+        queryset=User.objects.all(),
+        default=serializers.CurrentUserDefault(),
+        required=False,
+    )
+
     class Meta:
         """
         Meta class for CourseArchiveStatusSerializer.
diff --git a/backend/sample_plugin/settings/production.py b/backend/sample_plugin/settings/production.py
@@ -1,6 +1,7 @@
 """
 Production settings for the sample_plugin application.
 """
+
 from sample_plugin.settings.common import plugin_settings as common_settings
 
 
diff --git a/backend/sample_plugin/settings/test.py b/backend/sample_plugin/settings/test.py
@@ -1,6 +1,7 @@
 """
 Test settings for the sample_plugin application.
 """
+
 from sample_plugin.settings.common import plugin_settings as common_settings
 
 
diff --git a/backend/sample_plugin/views.py b/backend/sample_plugin/views.py
@@ -77,7 +77,9 @@ class CourseArchiveStatusViewSet(viewsets.ModelViewSet):
     serializer_class = CourseArchiveStatusSerializer
     permission_classes = [IsOwnerOrStaffSuperuser]
     pagination_class = CourseArchiveStatusPagination
-    throttle_classes = [CourseArchiveStatusThrottle, ]
+    throttle_classes = [
+        CourseArchiveStatusThrottle,
+    ]
     filter_backends = [DjangoFilterBackend, filters.OrderingFilter]
     filterset_fields = ["course_id", "user", "is_archived"]
     ordering_fields = [
@@ -142,29 +144,26 @@ def perform_create(self, serializer):
         """
         Perform creation of a new CourseArchiveStatus.
 
-        Sets the user to the requesting user if not specified.
-        Sets archive_date and archived_by if is_archived is True.
-        """
-        data = serializer.validated_data.copy()
-
-        # Set user to requesting user if not specified
-        if "user" not in data:
-            data["user"] = self.request.user
-        # Only allow staff/superusers to create records for other users
-        elif data["user"] != self.request.user and not (
-            self.request.user.is_staff or self.request.user.is_superuser
-        ):
-            logger.warning(
-                "Permission denied: User %s tried to create a record for user %s",
-                self.request.user.username,
-                data["user"].username,
-            )
-            raise PermissionDenied(
-                "You do not have permission to create records for other users."
-            )
+        Validates permission for user override and sets archive_date if needed.
+        """
+        # Check if user was explicitly provided and differs from current user
+        if "user" in self.request.data:
+            requested_user_id = self.request.data["user"]
+            if requested_user_id != self.request.user.id and not (
+                self.request.user.is_staff or self.request.user.is_superuser
+            ):
+                logger.warning(
+                    "Permission denied: User %s tried to create a record for user %s",
+                    self.request.user.username,
+                    requested_user_id,
+                )
+                raise PermissionDenied(
+                    "You do not have permission to create records for other users."
+                )
 
         # Set archive_date if is_archived is True
-        if data.get("is_archived", False):
+        data = {}
+        if serializer.validated_data.get("is_archived", False):
             data["archive_date"] = timezone.now()
 
         # Create the record
@@ -184,18 +183,33 @@ def perform_update(self, serializer):
         """
         Perform update of an existing CourseArchiveStatus.
 
-        Updates archive_date and archived_by if is_archived changes.
+        Validates permission for user override and updates archive_date if needed.
         """
         instance = serializer.instance
-        data = serializer.validated_data.copy()
+
+        # Check if user was explicitly provided and differs from current user
+        if "user" in self.request.data:
+            requested_user_id = self.request.data["user"]
+            if requested_user_id != self.request.user.id and not (
+                self.request.user.is_staff or self.request.user.is_superuser
+            ):
+                logger.warning(
+                    "Permission denied: User %s tried to update a record for user %s",
+                    self.request.user.username,
+                    requested_user_id,
+                )
+                raise PermissionDenied(
+                    "You do not have permission to update records for other users."
+                )
 
         # Handle archive_date if is_archived changes
-        if "is_archived" in data:
+        data = {}
+        if "is_archived" in serializer.validated_data:
             # If changing from not archived to archived
-            if data["is_archived"] and not instance.is_archived:
+            if serializer.validated_data["is_archived"] and not instance.is_archived:
                 data["archive_date"] = timezone.now()
             # If changing from archived to not archived
-            elif not data["is_archived"] and instance.is_archived:
+            elif not serializer.validated_data["is_archived"] and instance.is_archived:
                 data["archive_date"] = None
 
         # Update the record
diff --git a/backend/tests/__init__.py b/backend/tests/__init__.py
diff --git a/backend/tests/test_api.py b/backend/tests/test_api.py
@@ -277,3 +277,170 @@ def test_staff_can_update_other_user_course_archive_status(
 
     assert response.status_code == status.HTTP_200_OK
     assert response.data["is_archived"] is True
+
+
+# New tests for optional user field behavior
+@pytest.mark.django_db
+def test_create_course_archive_status_without_user_field(api_client, user, course_key):
+    """
+    Test that a user can create a course archive status without specifying user field.
+    The user field should default to the current user.
+    """
+    api_client.force_authenticate(user=user)
+    url = reverse("sample_plugin:course-archive-status-list")
+    data = {
+        "course_id": str(course_key),
+        "is_archived": True,
+    }
+    # Note: No "user" field in data
+    response = api_client.post(url, data, format="json")
+
+    if response.status_code != status.HTTP_201_CREATED:
+        print(f"Response status: {response.status_code}")
+        print(f"Response data: {response.data}")
+    
+    assert response.status_code == status.HTTP_201_CREATED
+    assert response.data["course_id"] == str(course_key)
+    assert response.data["user"] == user.id
+    assert response.data["is_archived"] is True
+    assert response.data["archive_date"] is not None
+
+    # Verify in database
+    course_archive_status = CourseArchiveStatus.objects.get(
+        course_id=course_key, user=user
+    )
+    assert course_archive_status.is_archived is True
+    assert course_archive_status.user == user
+
+
+@pytest.mark.django_db
+def test_update_course_archive_status_without_user_field(api_client, user, course_archive_status):
+    """
+    Test that a user can update their course archive status without specifying user field.
+    The user field should remain unchanged.
+    """
+    api_client.force_authenticate(user=user)
+    url = reverse(
+        "sample_plugin:course-archive-status-detail", args=[course_archive_status.id]
+    )
+    data = {"is_archived": True}
+    # Note: No "user" field in data
+    response = api_client.patch(url, data, format="json")
+
+    assert response.status_code == status.HTTP_200_OK
+    assert response.data["is_archived"] is True
+    assert response.data["user"] == user.id
+    assert response.data["archive_date"] is not None
+
+    # Verify in database
+    course_archive_status.refresh_from_db()
+    assert course_archive_status.is_archived is True
+    assert course_archive_status.user == user
+
+
+@pytest.mark.django_db
+def test_staff_create_with_explicit_user_override(
+    api_client, staff_user, user, course_key
+):
+    """
+    Test that staff can explicitly set user field to override default behavior.
+    """
+    api_client.force_authenticate(user=staff_user)
+    url = reverse("sample_plugin:course-archive-status-list")
+    data = {
+        "course_id": str(course_key),
+        "user": user.id,
+        "is_archived": True,
+    }
+    response = api_client.post(url, data, format="json")
+
+    assert response.status_code == status.HTTP_201_CREATED
+    assert response.data["course_id"] == str(course_key)
+    assert response.data["user"] == user.id  # Should be the specified user, not staff_user
+    assert response.data["is_archived"] is True
+
+    # Verify in database
+    course_archive_status = CourseArchiveStatus.objects.get(
+        course_id=course_key, user=user
+    )
+    assert course_archive_status.user == user
+    assert course_archive_status.user != staff_user
+
+
+@pytest.mark.django_db
+def test_staff_update_with_explicit_user_override(
+    api_client, staff_user, user, another_user, course_key
+):
+    """
+    Test that staff can explicitly change user field when updating.
+    """
+    # Create initial record for user
+    initial_status = CourseArchiveStatus.objects.create(
+        course_id=course_key, user=user, is_archived=False
+    )
+    
+    api_client.force_authenticate(user=staff_user)
+    url = reverse(
+        "sample_plugin:course-archive-status-detail", args=[initial_status.id]
+    )
+    data = {
+        "user": another_user.id,
+        "is_archived": True,
+    }
+    response = api_client.patch(url, data, format="json")
+
+    assert response.status_code == status.HTTP_200_OK
+    assert response.data["user"] == another_user.id  # Should be changed to another_user
+    assert response.data["is_archived"] is True
+
+    # Verify in database
+    initial_status.refresh_from_db()
+    assert initial_status.user == another_user
+    assert initial_status.is_archived is True
+
+
+@pytest.mark.django_db
+def test_regular_user_cannot_override_user_field_create(
+    api_client, user, another_user, course_key
+):
+    """
+    Test that regular users cannot override user field to create records for other users.
+    """
+    api_client.force_authenticate(user=user)
+    url = reverse("sample_plugin:course-archive-status-list")
+    data = {
+        "course_id": str(course_key),
+        "user": another_user.id,  # Try to create for another user
+        "is_archived": True,
+    }
+    response = api_client.post(url, data, format="json")
+
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+@pytest.mark.django_db  
+def test_staff_create_without_user_field_defaults_to_current_user(
+    api_client, staff_user, course_key
+):
+    """
+    Test that even staff users get records created for themselves when no user specified.
+    """
+    api_client.force_authenticate(user=staff_user)
+    url = reverse("sample_plugin:course-archive-status-list")
+    data = {
+        "course_id": str(course_key),
+        "is_archived": True,
+    }
+    # Note: No "user" field in data
+    response = api_client.post(url, data, format="json")
+
+    assert response.status_code == status.HTTP_201_CREATED
+    assert response.data["course_id"] == str(course_key)
+    assert response.data["user"] == staff_user.id  # Should default to current user (staff)
+    assert response.data["is_archived"] is True
+
+    # Verify in database
+    course_archive_status = CourseArchiveStatus.objects.get(
+        course_id=course_key, user=staff_user
+    )
+    assert course_archive_status.user == staff_user

-Original file line number
+Diff line change
@@ @@ -1,6 +1,7 @@ @@
 """
 Production settings for the sample_plugin application.
 """
++
 from sample_plugin.settings.common import plugin_settings as common_settings