secure /listing/x/publish endpoint, add business rules for listing publication

Author: pgorecki

src/api/routers/catalog.py

@@ -57,7 +57,7 @@ async def create_listing(
     current_user: Annotated[User, Depends(get_authenticated_user)],
 ):
     """
-    Creates a new listing.
+    Creates a new listing
     """
     command = CreateListingDraftCommand(
         listing_id=uuid.uuid4(),
@@ -83,7 +83,7 @@ async def delete_listing(
     current_user: Annotated[User, Depends(get_authenticated_user)],
 ):
     """
-    Delete listing
+    Deletes a listing
     """
     command = DeleteListingDraftCommand(
         listing_id=listing_id,
@@ -100,13 +100,16 @@ async def delete_listing(
 )
 @inject
 async def publish_listing(
-    listing_id: UUID, app: Annotated[Application, Depends(get_application)]
+    listing_id: UUID,
+    app: Annotated[Application, Depends(get_application)],
+    current_user: Annotated[User, Depends(get_authenticated_user)],
 ):
     """
-    Creates a new listing.
+    Publishes a listing
     """
     command = PublishListingDraftCommand(
         listing_id=listing_id,
+        seller_id=current_user.id,
     )
     app.execute_command(command)
 

src/api/tests/test_bidding.py

@@ -36,7 +36,9 @@ def setup_app_for_bidding_tests(app, listing_id, seller_id, bidder_id):
             seller_id=seller_id,
         )
     )
-    app.execute_command(PublishListingDraftCommand(listing_id=listing_id))
+    app.execute_command(
+        PublishListingDraftCommand(listing_id=listing_id, seller_id=seller_id)
+    )
     logger.info("test setup complete")
 
 

src/api/tests/test_catalog.py

@@ -111,44 +111,47 @@ def test_catalog_delete_non_existing_draft_returns_404(authenticated_api_client)
 
 
 @pytest.mark.integration
-def test_catalog_publish_listing_draft(app, api_client):
+def test_catalog_publish_listing_draft(app, authenticated_api_client):
     # arrange
+    current_user = authenticated_api_client.current_user
     listing_id = UUID(int=1)
     app.execute_command(
         CreateListingDraftCommand(
             listing_id=listing_id,
             title="Listing to be published",
             description="...",
             ask_price=Money(10),
-            seller_id=UUID("00000000000000000000000000000002"),
+            seller_id=current_user.id,
         )
     )
 
     # act
-    response = api_client.post(f"/catalog/{listing_id}/publish")
+    response = authenticated_api_client.post(f"/catalog/{listing_id}/publish")
 
     # assert that the listing was published
     assert response.status_code == 200
 
 
-def test_published_listing_appears_in_biddings(app, api_client):
+def test_published_listing_appears_in_biddings(app, authenticated_api_client):
     # arrange
     listing_id = UUID(int=1)
+    current_user = authenticated_api_client.current_user
     app.execute_command(
         CreateListingDraftCommand(
             listing_id=listing_id,
             title="Listing to be published",
             description="...",
             ask_price=Money(10),
-            seller_id=UUID("00000000000000000000000000000002"),
+            seller_id=current_user.id,
         )
     )
     app.execute_command(
         PublishListingDraftCommand(
             listing_id=listing_id,
+            seller_id=current_user.id,
         )
     )
 
     url = f"/bidding/{listing_id}"
-    response = api_client.get(url)
+    response = authenticated_api_client.get(url)
     assert response.status_code == 200

src/modules/catalog/application/command/publish_listing_draft.py

@@ -3,17 +3,19 @@
 from modules.catalog.application import catalog_module
 from modules.catalog.domain.entities import Listing
 from modules.catalog.domain.repositories import ListingRepository
-from modules.catalog.domain.value_objects import ListingId
+from modules.catalog.domain.rules import OnlyListingOwnerCanPublishListing
+from modules.catalog.domain.value_objects import ListingId, SellerId
 from seedwork.application.command_handlers import CommandResult
 from seedwork.application.commands import Command
+from seedwork.domain.mixins import check_rule
 
 
 @dataclass
 class PublishListingDraftCommand(Command):
     """A command for publishing a draft of a listing"""
 
-    listing_id: ListingId
-    # seller_id: SellerId
+    listing_id: ListingId  # a listing to be published
+    seller_id: SellerId  # a seller, who is publishing a listing
 
 
 @catalog_module.command_handler
@@ -23,6 +25,12 @@ def publish_listing_draft(
 ):
     listing: Listing = listing_repository.get_by_id(command.listing_id)
 
+    check_rule(
+        OnlyListingOwnerCanPublishListing(
+            listing_seller_id=listing.seller_id, current_seller_id=command.seller_id
+        )
+    )
+
     events = listing.publish()
 
     listing_repository.persist_all()

src/modules/catalog/domain/rules.py

@@ -52,8 +52,18 @@ def is_broken(self) -> bool:
         return self.status == ListingStatus.PUBLISHED
 
 
+class OnlyListingOwnerCanPublishListing(BusinessRule):
+    __message = "Only listing owner can publish a listing"
+
+    listing_seller_id: ListingId
+    current_seller_id: SellerId
+
+    def is_broken(self) -> bool:
+        return self.listing_seller_id != self.current_seller_id
+
+
 class OnlyListingOwnerCanDeleteListing(BusinessRule):
-    __message = "Only listing owner can delete listing"
+    __message = "Only listing owner can delete a listing"
 
     listing_seller_id: ListingId
     current_seller_id: SellerId

src/modules/catalog/tests/application/test_publish_listing.py

@@ -30,6 +30,7 @@ def test_publish_listing():
 
     command = PublishListingDraftCommand(
         listing_id=listing.id,
+        seller_id=seller.id,
     )
 
     # act
@@ -62,6 +63,7 @@ def test_publish_listing_and_break_business_rule():
 
     command = PublishListingDraftCommand(
         listing_id=listing.id,
+        seller_id=seller.id,
     )
 
     # act