Refs #654 -- REST API: Allow PATCH for some order fields

2019-03-23 00:07:26 +01:00
parent 0bb6e460e8
commit c24ce551ba
4 changed files with 223 additions and 16 deletions
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -220,26 +220,49 @@ class OrderRefundSerializer(I18nAwareModelSerializer):


 class OrderSerializer(I18nAwareModelSerializer):
-    invoice_address = InvoiceAddressSerializer()
-    positions = OrderPositionSerializer(many=True)
-    fees = OrderFeeSerializer(many=True)
-    downloads = OrderDownloadsField(source='*')
-    payments = OrderPaymentSerializer(many=True)
-    refunds = OrderRefundSerializer(many=True)
-    payment_date = OrderPaymentDateField(source='*')
-    payment_provider = OrderPaymentTypeField(source='*')
+    invoice_address = InvoiceAddressSerializer(read_only=True)
+    positions = OrderPositionSerializer(many=True, read_only=True)
+    fees = OrderFeeSerializer(many=True, read_only=True)
+    downloads = OrderDownloadsField(source='*', read_only=True)
+    payments = OrderPaymentSerializer(many=True, read_only=True)
+    refunds = OrderRefundSerializer(many=True, read_only=True)
+    payment_date = OrderPaymentDateField(source='*', read_only=True)
+    payment_provider = OrderPaymentTypeField(source='*', read_only=True)

    class Meta:
        model = Order
-        fields = ('code', 'status', 'testmode', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
-                  'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
-                  'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel')
+        fields = (
+            'code', 'status', 'testmode', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
+            'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
+            'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel'
+        )
+        read_only_fields = (
+            'code', 'status', 'testmode', 'secret', 'datetime', 'expires', 'payment_date',
+            'payment_provider', 'fees', 'total', 'invoice_address', 'positions', 'downloads',
+            'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel'
+        )

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        if not self.context['request'].query_params.get('pdf_data', 'false') == 'true':
            self.fields['positions'].child.fields.pop('pdf_data')

+    def validate_locale(self, l):
+        if l not in set(k for k in self.instance.event.settings.locales):
+            raise ValidationError('"{}" is not a supported locale for this event.'.format(l))
+        return l
+
+    def update(self, instance, validated_data):
+        # Even though all fields that shouldn't be edited are marked as read_only in the serializer
+        # (hopefully), we'll be extra careful here and be explicit about the model fields we update.
+        update_fields = ['comment', 'checkin_attention', 'email', 'locale']
+
+        for attr, value in validated_data.items():
+            if attr in update_fields:
+                setattr(instance, attr, value)
+        instance.save(update_fields=update_fields)
+        return instance
+

 class AnswerCreateSerializer(I18nAwareModelSerializer):

--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -16,7 +16,7 @@ from rest_framework.exceptions import (
    APIException, NotFound, PermissionDenied, ValidationError,
 )
 from rest_framework.filters import OrderingFilter
-from rest_framework.mixins import CreateModelMixin, DestroyModelMixin
+from rest_framework.mixins import CreateModelMixin
 from rest_framework.response import Response

 from pretix.api.models import OAuthAccessToken
@@ -54,7 +54,7 @@ class OrderFilter(FilterSet):
        fields = ['code', 'status', 'email', 'locale', 'testmode', 'require_approval']


-class OrderViewSet(DestroyModelMixin, CreateModelMixin, viewsets.ReadOnlyModelViewSet):
+class OrderViewSet(viewsets.ModelViewSet):
    serializer_class = OrderSerializer
    queryset = Order.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter)
@@ -375,6 +375,61 @@ class OrderViewSet(DestroyModelMixin, CreateModelMixin, viewsets.ReadOnlyModelVi
        headers = self.get_success_headers(serializer.data)
        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)

+    def update(self, request, *args, **kwargs):
+        partial = kwargs.get('partial', False)
+        if not partial:
+            return Response(
+                {"detail": "Method \"PUT\" not allowed."},
+                status=status.HTTP_405_METHOD_NOT_ALLOWED,
+            )
+        return super().update(request, *args, **kwargs)
+
+    @transaction.atomic
+    def perform_update(self, serializer):
+        if 'comment' in self.request.data and serializer.instance.comment != self.request.data.get('comment'):
+            serializer.instance.log_action(
+                'pretix.event.order.comment',
+                user=self.request.user,
+                auth=self.request.auth,
+                data={
+                    'new_comment': self.request.data.get('comment')
+                }
+            )
+
+        if 'checkin_attention' in self.request.data and serializer.instance.checkin_attention != self.request.data.get('checkin_attention'):
+            serializer.instance.log_action(
+                'pretix.event.order.checkin_attention',
+                user=self.request.user,
+                auth=self.request.auth,
+                data={
+                    'new_value': self.request.data.get('checkin_attention')
+                }
+            )
+
+        if 'email' in self.request.data and serializer.instance.email != self.request.data.get('email'):
+            serializer.instance.log_action(
+                'pretix.event.order.contact.changed',
+                user=self.request.user,
+                auth=self.request.auth,
+                data={
+                    'old_email': serializer.instance.email,
+                    'new_email': self.request.data.get('email'),
+                }
+            )
+
+        if 'locale' in self.request.data and serializer.instance.locale != self.request.data.get('locale'):
+            serializer.instance.log_action(
+                'pretix.event.order.locale.changed',
+                user=self.request.user,
+                auth=self.request.auth,
+                data={
+                    'old_locale': serializer.instance.locale,
+                    'new_locale': self.request.data.get('locale'),
+                }
+            )
+
+        serializer.save()
+
    def perform_create(self, serializer):
        serializer.save()