feat: Add a sample model and rest API.

feanil · feanil · commit 7e5714dd36b2 · 2025-04-15T11:04:10.000-04:00
We add a sample CourseArchiveStatus model and a rest API to access it.
The plan is for this model to be used by the frontend plugin eventually
to modify the course dashboard view.
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,21 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Build/Lint/Test Commands
+- Backend testing: `cd backend && pytest` or `cd backend && make test`
+- Run a single test: `cd backend && pytest tests/test_models.py::test_placeholder`
+- Quality checks: `cd backend && make quality`
+- Install requirements: `cd backend && make requirements`
+- Compile requirements: `cd backend && make compile-requirements`
+
+## Code Style Guidelines
+- Python: Follow PEP 8 with max line length of 120
+- Use isort for import sorting
+- Document classes and functions with docstrings
+- Type hints are encouraged but not required
+- Error handling should use appropriate exceptions with descriptive messages
+- Use pytest for testing, with descriptive test function names
+- Frontend uses React and follows standard JSX conventions
+
+Always run `make quality` before creating a PR to ensure consistent code style.
diff --git a/backend/sample_plugin/models.py b/backend/sample_plugin/models.py
@@ -1,3 +1,65 @@
 """
 Database models for sample_plugin.
 """
+from django.contrib.auth import get_user_model
+from django.db import models
+from opaque_keys.edx.django.models import CourseKeyField
+
+
+class CourseArchiveStatus(models.Model):
+    """
+    Model to track the archive status of a course.
+
+    Stores information about whether a course has been archived and when it was archived.
+    
+    .. no_pii: This model does not store PII directly, only references to users via foreign keys.
+    """
+
+    course_id = CourseKeyField(
+        max_length=255,
+        db_index=True,
+        help_text="The unique identifier for the course."
+    )
+
+    user = models.ForeignKey(
+        get_user_model(),
+        on_delete=models.CASCADE,
+        related_name="course_archive_statuses",
+        help_text="The user who this archive status is for."
+    )
+
+    is_archived = models.BooleanField(
+        default=False,
+        db_index=True,  # Add index for performance on this frequently filtered field
+        help_text="Whether the course is archived."
+    )
+
+    archive_date = models.DateTimeField(
+        null=True,
+        blank=True,
+        help_text="The date and time when the course was archived."
+    )
+
+    created_at = models.DateTimeField(auto_now_add=True)
+    updated_at = models.DateTimeField(auto_now=True)
+
+    def __str__(self):
+        """
+        Return a string representation of the course archive status.
+        """
+        return f"{self.course_id} - {self.user.username} - {'Archived' if self.is_archived else 'Not Archived'}"
+
+    class Meta:
+        """
+        Meta options for the CourseArchiveStatus model.
+        """
+        verbose_name = "Course Archive Status"
+        verbose_name_plural = "Course Archive Statuses"
+        ordering = ["-updated_at"]
+        # Ensure combination of course_id and user is unique
+        constraints = [
+            models.UniqueConstraint(
+                fields=['course_id', 'user'],
+                name='unique_user_course_archive_status'
+            )
+        ]
diff --git a/backend/sample_plugin/serializers.py b/backend/sample_plugin/serializers.py
@@ -0,0 +1,28 @@
+"""
+Serializers for the sample_plugin app.
+"""
+from rest_framework import serializers
+
+from sample_plugin.models import CourseArchiveStatus
+
+
+class CourseArchiveStatusSerializer(serializers.ModelSerializer):
+    """
+    Serializer for the CourseArchiveStatus model.
+    """
+    
+    class Meta:
+        """
+        Meta class for CourseArchiveStatusSerializer.
+        """
+        model = CourseArchiveStatus
+        fields = [
+            'id',
+            'course_id',
+            'user',
+            'is_archived',
+            'archive_date',
+            'created_at',
+            'updated_at',
+        ]
+        read_only_fields = ['id', 'created_at', 'updated_at', 'archive_date']
diff --git a/backend/sample_plugin/urls.py b/backend/sample_plugin/urls.py
@@ -1,10 +1,16 @@
 """
 URLs for sample_plugin.
 """
-from django.urls import re_path  # pylint: disable=unused-import
-from django.views.generic import TemplateView  # pylint: disable=unused-import
+from django.urls import include, path
+from rest_framework.routers import DefaultRouter
 
+from sample_plugin.views import CourseArchiveStatusViewSet
+
+# Create a router and register our viewsets with it
+router = DefaultRouter()
+router.register(r'course-archive-status', CourseArchiveStatusViewSet, basename='course-archive-status')
+
+# The API URLs are now determined automatically by the router
 urlpatterns = [
-    # TODO: Fill in URL patterns and views here.
-    # re_path(r'', TemplateView.as_view(template_name="sample_plugin/base.html")),
+    path('api/v1/', include(router.urls)),
 ]
diff --git a/backend/sample_plugin/views.py b/backend/sample_plugin/views.py
@@ -0,0 +1,211 @@
+"""
+Views for the sample_plugin app.
+"""
+import logging
+from django.utils import timezone
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework import filters, permissions, viewsets
+from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.pagination import PageNumberPagination
+from rest_framework.throttling import UserRateThrottle, AnonRateThrottle
+
+from sample_plugin.models import CourseArchiveStatus
+from sample_plugin.serializers import CourseArchiveStatusSerializer
+
+
+logger = logging.getLogger(__name__)
+
+
+class IsOwnerOrStaffSuperuser(permissions.BasePermission):
+    """
+    Custom permission to only allow owners of an object or staff/superusers to view or edit it.
+    """
+
+    def has_permission(self, request, view):
+        """
+        Return True if permission is granted to the view.
+        """
+        # Allow authenticated users to list and create
+        return request.user and request.user.is_authenticated
+
+    def has_object_permission(self, request, view, obj):
+        """
+        Return True if permission is granted to the object.
+        """
+        # Allow if the object belongs to the requesting user
+        if obj.user == request.user:
+            return True
+
+        # Allow staff users and superusers
+        if request.user.is_staff or request.user.is_superuser:
+            return True
+
+        return False
+
+
+class CourseArchiveStatusPagination(PageNumberPagination):
+    """
+    Pagination class for CourseArchiveStatus.
+    """
+    page_size = 20
+    page_size_query_param = 'page_size'
+    max_page_size = 100
+
+
+class CourseArchiveStatusThrottle(UserRateThrottle):
+    """
+    Throttle for the CourseArchiveStatus API.
+    """
+    rate = '60/minute'
+
+
+class CourseArchiveStatusViewSet(viewsets.ModelViewSet):
+    """
+    API viewset for CourseArchiveStatus.
+
+    Allows users to view their own course archive statuses and staff/superusers to view all.
+    Pagination is applied with a default page size of 20 (max 100).
+    Filtering is available on course_id, user, and is_archived fields.
+    Ordering is available on all fields.
+    """
+    serializer_class = CourseArchiveStatusSerializer
+    permission_classes = [IsOwnerOrStaffSuperuser]
+    pagination_class = CourseArchiveStatusPagination
+    throttle_classes = [CourseArchiveStatusThrottle, AnonRateThrottle]
+    filter_backends = [DjangoFilterBackend, filters.OrderingFilter]
+    filterset_fields = ['course_id', 'user', 'is_archived']
+    ordering_fields = ['course_id', 'user', 'is_archived', 'archive_date', 'created_at', 'updated_at']
+    ordering = ['-updated_at']
+
+    def get_queryset(self):
+        """
+        Return the queryset for this viewset.
+
+        Regular users can only see their own records.
+        Staff and superusers can see all records but with optimized queries.
+        """
+        user = self.request.user
+
+        # Validate query parameters to prevent injection
+        self._validate_query_params()
+
+        # Always use select_related to avoid N+1 queries
+        base_queryset = CourseArchiveStatus.objects.select_related('user')
+
+        if user.is_staff or user.is_superuser:
+            return base_queryset
+
+        # Regular users only see their own records
+        return base_queryset.filter(user=user)
+
+    def _validate_query_params(self):
+        """
+        Validate query parameters to prevent injection.
+        """
+        # Example validation for course_id format
+        course_id = self.request.query_params.get('course_id')
+        if course_id and not self._is_valid_course_id(course_id):
+            logger.warning(
+                "Invalid course_id in request: %s, user: %s",
+                course_id,
+                self.request.user.username
+            )
+            raise ValidationError({"course_id": "Invalid course ID format."})
+
+    def _is_valid_course_id(self, course_id):
+        """
+        Check if the course_id is in a valid format.
+
+        This is a basic implementation - in production, you might use a more
+        sophisticated validator from the edx-platform.
+        """
+        try:
+            from opaque_keys.edx.keys import CourseKey
+            CourseKey.from_string(course_id)
+            return True
+        except:
+            return False
+
+    def perform_create(self, serializer):
+        """
+        Perform creation of a new CourseArchiveStatus.
+
+        Sets the user to the requesting user if not specified.
+        Sets archive_date and archived_by if is_archived is True.
+        """
+        data = serializer.validated_data.copy()
+
+        # Set user to requesting user if not specified
+        if 'user' not in data:
+            data['user'] = self.request.user
+        # Only allow staff/superusers to create records for other users
+        elif data['user'] != self.request.user and not (self.request.user.is_staff or self.request.user.is_superuser):
+            logger.warning(
+                "Permission denied: User %s tried to create a record for user %s",
+                self.request.user.username,
+                data['user'].username
+            )
+            raise PermissionDenied("You do not have permission to create records for other users.")
+
+        # Set archive_date if is_archived is True
+        if data.get('is_archived', False):
+            data['archive_date'] = timezone.now()
+
+        # Create the record
+        instance = serializer.save(**data)
+
+        # Log at debug level for normal operation
+        logger.debug(
+            "CourseArchiveStatus created: course_id=%s, user=%s, is_archived=%s",
+            instance.course_id,
+            instance.user.username,
+            instance.is_archived
+        )
+
+        return instance
+
+    def perform_update(self, serializer):
+        """
+        Perform update of an existing CourseArchiveStatus.
+
+        Updates archive_date and archived_by if is_archived changes.
+        """
+        instance = serializer.instance
+        data = serializer.validated_data.copy()
+
+        # Handle archive_date if is_archived changes
+        if 'is_archived' in data:
+            # If changing from not archived to archived
+            if data['is_archived'] and not instance.is_archived:
+                data['archive_date'] = timezone.now()
+            # If changing from archived to not archived
+            elif not data['is_archived'] and instance.is_archived:
+                data['archive_date'] = None
+
+        # Update the record
+        updated_instance = serializer.save(**data)
+
+        # Log at debug level
+        logger.debug(
+            "CourseArchiveStatus updated: course_id=%s, user=%s, is_archived=%s",
+            updated_instance.course_id,
+            updated_instance.user.username,
+            updated_instance.is_archived
+        )
+
+        return updated_instance
+
+    def perform_destroy(self, instance):
+        """
+        Perform deletion of an existing CourseArchiveStatus.
+        """
+        # Log at debug level before deletion
+        logger.debug(
+            "CourseArchiveStatus deleted: course_id=%s, user=%s, by=%s",
+            instance.course_id,
+            instance.user.username,
+            self.request.user.username
+        )
+
+        # Delete the instance
+        return super().perform_destroy(instance)
diff --git a/backend/test_settings.py b/backend/test_settings.py
@@ -32,6 +32,8 @@ def root(*args):
     'django.contrib.contenttypes',
     'django.contrib.messages',
     'django.contrib.sessions',
+    'rest_framework',
+    'django_filters',
     'sample_plugin',
 )
 
@@ -44,9 +46,9 @@ def root(*args):
 SECRET_KEY = 'insecure-secret-key'
 
 MIDDLEWARE = (
+    'django.contrib.sessions.middleware.SessionMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
-    'django.contrib.sessions.middleware.SessionMiddleware',
 )
 
 TEMPLATES = [{
@@ -59,3 +61,24 @@ def root(*args):
         ],
     },
 }]
+
+REST_FRAMEWORK = {
+    'DEFAULT_PERMISSION_CLASSES': [
+        'rest_framework.permissions.IsAuthenticated',
+    ],
+    'DEFAULT_AUTHENTICATION_CLASSES': [
+        'rest_framework.authentication.SessionAuthentication',
+    ],
+    'DEFAULT_FILTER_BACKENDS': [
+        'django_filters.rest_framework.DjangoFilterBackend',
+        'rest_framework.filters.OrderingFilter',
+    ],
+    'DEFAULT_THROTTLE_CLASSES': [
+        'rest_framework.throttling.AnonRateThrottle',
+        'rest_framework.throttling.UserRateThrottle',
+    ],
+    'DEFAULT_THROTTLE_RATES': {
+        'anon': '20/hour',
+        'user': '100/hour',
+    },
+}
diff --git a/backend/tests/__init__.py b/backend/tests/__init__.py
diff --git a/backend/tests/test_api.py b/backend/tests/test_api.py
diff --git a/backend/tests/test_models.py b/backend/tests/test_models.py
