Refs #654 -- API: Writable event endpoints (#756)

* MKBDIGI-185: Added update/create to events

* MKBDIGI-185: Added validation for 'slug, 'live' on event endpoint

* MKBDIGI-185: Code formatting

* MKBDIGI-185: Added 'plugins' to 'event' endpoint

* MKBDIGI-185: Merge migrations

* MKBDIGI-185: Cleaned up static methods

* EBILL-5: Added delete endpoint for event

* EBILL-5: Merge migrations

* EBILL-5: Fixed imports

* EBILL-5: Changed plugins to only list plugins enabled for the event

* EBILL-5: Added clone event endpoint

* EBILL-5: Removed permissions check API test for events

* EBILL-5: Merged master, updated migrations

* EBILL-5: Updated api permissions check for CRUD on events

* EBILL-5: Removed 'unique_together' constraint on event model

* EBILL-5: Removed call to changed static methods in test

* EBILL-5: Changed Event 'has_paid_things'  to a property for consistency

* EBILL-5: Fixed created response code in documentation

* EBILL-6: Documentation fixes

* EBILL-6: Fixed typo

* EBILL-6: Fixed permissions

* EBILL-6: Added note on copying settings to documentation

* EBILL-6: Created model method for deleting sub objects on event before delete

* EBILL-6: Fixed typo

* EBILL-6: Re-added meta_data as read-only

* EBILL-6: Fixed permissions test

* EBILL-6: Added plugins issues check before live. Moved issues property from form to Event model.

* EBILL-6: Upped version number in documentation

* Add write support for MetaDataField

* EBILL-6: Expanded documentation for the clone endpoint, made behaviour of 'is_public' similar to 'plugins' for consistency

* EBILL-6: Re-added EventCRUDPermission

* EBILL-16: Updated documentation with permission model for the API

* EBILL-16: Added 'has_subevents' validation to ensure it cannot be changed once event is created.

* EBILL-16: Fixed event clone not differentiating between "not set" and "deliberately set to False"

* EBILL-16: Fixed event live validation

* EBILL-16: Added logging of live activated/deactivated

* EBILL-16: Fixed create event bug when no 'meta_data' supplied

* EBILL-16: Typo fixed

* EBILL-16: Added log display for "event created"

* EBILL-16: Enabling a plugin now calls 'installed' if applicable and log entries are added

* EBILL-16: Updated tests for events

* Do not allow enabling restricted plugins via the API

* Remove unused code

src/tests/api/test_permissions.py

@@ -20,7 +20,7 @@ event_urls = [
     'checkinlists/',
 ]
 
-event_permission_urls = [
+event_permission_sub_urls = [
     ('get', 'can_view_orders', 'orders/', 200),
     ('get', 'can_view_orders', 'orderpositions/', 200),
     ('get', 'can_view_vouchers', 'vouchers/', 200),
@@ -68,6 +68,15 @@ event_permission_urls = [
     ('put', 'can_change_event_settings', 'checkinlists/1/', 404),
     ('patch', 'can_change_event_settings', 'checkinlists/1/', 404),
     ('delete', 'can_change_event_settings', 'checkinlists/1/', 404),
+    ('post', 'can_create_events', 'clone/', 400),
+]
+
+
+event_permission_root_urls = [
+    ('post', 'can_create_events', 400),
+    ('put', 'can_change_event_settings', 400),
+    ('patch', 'can_change_event_settings', 200),
+    ('delete', 'can_change_event_settings', 204),
 ]
 
 
@@ -137,8 +146,8 @@ def test_event_not_existing(token_client, organizer, url, event):
 
 
 @pytest.mark.django_db
-@pytest.mark.parametrize("urlset", event_permission_urls)
-def test_token_event_permission_allowed(token_client, team, organizer, event, urlset):
+@pytest.mark.parametrize("urlset", event_permission_sub_urls)
+def test_token_event_subresources_permission_allowed(token_client, team, organizer, event, urlset):
     team.all_events = True
     setattr(team, urlset[1], True)
     team.save()
@@ -148,8 +157,8 @@ def test_token_event_permission_allowed(token_client, team, organizer, event, ur
 
 
 @pytest.mark.django_db
-@pytest.mark.parametrize("urlset", event_permission_urls)
-def test_token_event_permission_not_allowed(token_client, team, organizer, event, urlset):
+@pytest.mark.parametrize("urlset", event_permission_sub_urls)
+def test_token_event_subresources_permission_not_allowed(token_client, team, organizer, event, urlset):
     team.all_events = True
     setattr(team, urlset[1], False)
     team.save()
@@ -161,6 +170,32 @@ def test_token_event_permission_not_allowed(token_client, team, organizer, event
         assert resp.status_code in (404, 403)
 
 
+@pytest.mark.django_db
+@pytest.mark.parametrize("urlset", event_permission_root_urls)
+def test_token_event_permission_allowed(token_client, team, organizer, event, urlset):
+    team.all_events = True
+    setattr(team, urlset[1], True)
+    team.save()
+    if urlset[0] == 'post':
+        resp = getattr(token_client, urlset[0])('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    else:
+        resp = getattr(token_client, urlset[0])('/api/v1/organizers/{}/events/{}/'.format(organizer.slug, event.slug))
+    assert resp.status_code == urlset[2]
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("urlset", event_permission_root_urls)
+def test_token_event_permission_not_allowed(token_client, team, organizer, event, urlset):
+    team.all_events = True
+    setattr(team, urlset[1], False)
+    team.save()
+    if urlset[0] == 'post':
+        resp = getattr(token_client, urlset[0])('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    else:
+        resp = getattr(token_client, urlset[0])('/api/v1/organizers/{}/events/{}/'.format(organizer.slug, event.slug))
+    assert resp.status_code == 403
+
+
 @pytest.mark.django_db
 def test_log_out_after_absolute_timeout(user_client, team, organizer, event):
     session = user_client.session