Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API:s for the new front-end #792

Open
wants to merge 22 commits into
base: development
Choose a base branch
from
Open

API:s for the new front-end #792

wants to merge 22 commits into from

Conversation

ankurr0y
Copy link

@ankurr0y ankurr0y commented Nov 8, 2023

Description of the Change

Added APIs for several models

Feedback needed

Permission for each API and which REST calls they should have (GET, POST, PATCH, PUT, DELETE) along with permissions for each REST call.

ludvigalden
ludvigalden reviewed Nov 15, 2023
View reviewed changes
src/moore/settings/dev.py
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reasons for these changes? Committed by mistake?

@ankurr0y
Merge branch 'development' of https://github.com/UTNkar/moore into an…
8d6dd91 
…kur-dev
@ankurr0y
Changed to authenticated or readonly
26cc620
@ankurr0y
Permissions 1
a82dbf1
@ankurr0y
The Team API is needed as a publicly readable entity because the posi…
6212353 
…tions and the team descriptions are open to the public. If a new team is created or edited, it will most likely be through the admin console, meaning that we probably shouldn't have writeable APIs for this. Ludwig I'm writing this in a commit to show you that we need a ticketing system. In most ticketing systems you can set up an automation where referencing the ticket number will associate your commit to that ticket.
@ludvigalden
Copy link
Contributor

Hi Ankur, why is the commit message so long? Feel free to put any comments in the pull request, right here.

The only things that should be writable in these API:s are things that are editable on apply.utn.se and relating to one's own member profile details. I believe that would be one's own involvement applications, event applications, and event tickets. You should alao only be able to view your own member details, applications, and event tickets. Is that clear enough?

@ludvigalden
Copy link
Contributor

Regarding the ticketing system, our team and level of production is small enough for us not to need one. The scale is perfectly manageable without any system that would leas to too much abstraction and cost us time that could be spent better.

@ankurr0y
Copy link
Author

Adding the Role thing only for posterity's sake, everything works through position and not role according to the way that the data model is designed.

@ankurr0y
Copy link
Author

The read is only for applicants on their own stuff. The write I will create separately in a moment. Also covers user profile

@ankurr0y
Copy link
Author

Now, applications are only CRUD if you are the applicant

@ankurr0y
Copy link
Author

But test it in a test environment a couple of times

@ludvigalden
Copy link
Contributor

ludvigalden commented Jan 21, 2024
edited
Loading

Here are some things that come to mind when looking at the committed code.

Teams

  • You should not be able to edit, create or delete teams.

Roles

  • You should not be able to edit, create or delete roles.

Positions

  • You should not be able to edit, create or delete positions.
  • When querying positions, expanded role and team objects are included in the response.

Application

  • You should only be able to create applications for yourself and if the end time has not passed.
  • You should only be able to view your own applications.
  • You should only be able to delete applications with draft or submitted status that are your own.
  • You should only be able to edit applications with draft status, but not edit the status or position, and only if the end time has not passed.
  • When querying applications, expanded position, role and team objects are included in the response.

Events

  • You should not be able to edit, create or delete events.
  • When querying events, expanded costs as well as a thumbnail image URL are included in the response.

Costs

  • You should not be able to edit, create or delete costs.

Event Tickets

  • You should not be able to edit, create or delete event tickets.
  • You should only be able to view your own event tickets.

Event Applications

  • You should only be able to view the event applications that apply for your own event tickets
  • You should only be able to create an event application if the event application end time of the event has not passed.
  • You should only be able to create an event application for yourself.
  • You should not be able to set the "ticket" of the event application.
  • You should only be able to create or delete event applications.

Participants

  • You should only view, edit or delete the participants that that apply for your own event tickets.
  • You should only be able to edit, create or delete participants for tickets that are not locked.

@ludvigalden
Copy link
Contributor

@ankurr0y

I have pushed the data interfaces that the front-end expects now. You can find it here.

Also, you’re missing the csrf_exempt decorator for the API-routes.

We also need an endpoint for getting the authenticated user's Member object, such as /me.

@ludvigalden ludvigalden changed the title Ankur dev API:s for the front-end Jan 28, 2024
@ludvigalden ludvigalden changed the title API:s for the front-end API:s for the new front-end Jan 28, 2024
ludvigalden
ludvigalden suggested changes Jan 29, 2024
View reviewed changes
Copy link
Contributor

@ludvigalden ludvigalden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use the same path with varying HTTP methods? GET for reading, POST for creating, PATCH for updating the passed properties (set to null if properties should be set undefined), and DELETE for deleting?

@ankurr0y
Copy link
Author

Why not use the same path with varying HTTP methods? GET for reading, POST for creating, PATCH for updating the passed properties (set to null if properties should be set undefined), and DELETE for deleting?

PATCH and DELETE are too different from the other two, needed to differentiate permissions, serializers and querysets for them. So they are separate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ludvigalden ludvigalden ludvigalden requested changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ankurr0y @ludvigalden