Not allowing to modify certain fields

epou · epou · commit 922c737c2158 · 2024-01-26T17:15:13.000+01:00
diff --git a/tigaserver_app/serializers.py b/tigaserver_app/serializers.py
@@ -6,6 +6,7 @@
 from django.contrib.auth.models import User
 from tigaserver_app.questions_table import data as the_translation_key
 from django.urls import reverse
+from django.db import models
 
 def score_label(score):
     if score > 66:
@@ -226,7 +227,25 @@ def update(self, instance, validated_data):
         # Adding _history_user
         validated_data['_history_user'] = validated_data.get('user')
 
+        # Do not updates on the following fields:
+        #   - fields marked as non editable
+        #   - fields Auto generated
+        #   - FKs
+        #   - PKs
+        non_editable_fields = [
+            field.name for field in Report._meta.get_fields() if (
+                not field.editable
+                or isinstance(field, models.AutoField)
+                or isinstance(field, models.ForeignKey)
+                or field.primary_key
+            )
+        ]
+
         responses_data = validated_data.pop('responses')
+        for field in non_editable_fields:
+            if field in validated_data:
+                del validated_data[field]
+
         instance = super().update(instance=instance, validated_data=validated_data)
 
         # Updating responses
diff --git a/tigaserver_app/views.py b/tigaserver_app/views.py
@@ -189,7 +189,10 @@ def post_photo(request):
 * report: The version_UUID of the report to which this photo is attached.
     """
     if request.method == 'POST':
-        this_report = Report.objects.get(version_UUID=request.data['report'])
+        try:
+            this_report = Report.objects.get(version_UUID=request.data['report'])
+        except Report.DoesNotExist:
+            return Response()
         instance = Photo(photo=request.FILES['photo'], report=this_report)
         instance.save()
         return Response('uploaded')
@@ -316,24 +319,20 @@ def create(self, request, *args, **kwargs):
             # May raise a permission denied
             self.check_object_permissions(self.request, instance)
 
-        result_headers = None
-        result_status = None
-        result_data = None
+        # NOTE: Always return 201
+        # See: https://github.com/Mosquito-Alert/Mosquito-Alert-Mobile-App/blob/6c5993a230a86f958c8dca8bcfef2994a6b93ebe/lib/api/api.dart#L381
+        result_status = status.HTTP_201_CREATED
         if version_number >= 0:
             serializer = self.get_serializer(instance, data=request.data)
             serializer.is_valid(raise_exception=True)
             serializer.save()
 
-            result_data = serializer.data
-
-            if version_number == 0:
-                result_status = status.HTTP_201_CREATED
-                result_headers = self.get_success_headers(serializer.data)
-
         if version_number == -1:
             instance.soft_delete()
+            serializer = self.get_serializer(instance)
 
-            result_status = status.HTTP_204_NO_CONTENT
+        result_data = serializer.data
+        result_headers = self.get_success_headers(serializer.data)
 
         return Response(data=result_data, status=result_status, headers=result_headers)
 
@@ -343,6 +342,25 @@ class PhotoViewSet(ReadWriteOnlyModelViewSet):
     queryset = Photo.objects.all()
     serializer_class = PhotoSerializer
 
+    def create(self, request, *args, **kwargs):
+        response = super().create(request=request, *args, **kwargs)
+
+        # Always return 200
+        # See: https://github.com/Mosquito-Alert/Mosquito-Alert-Mobile-App/blob/6c5993a230a86f958c8dca8bcfef2994a6b93ebe/lib/api/api.dart#L508
+        response.status = status.HTTP_200_OK
+        return response
+
+    def perform_create(self, serializer):
+        # Restrict image saving to the initial report creation only.
+        # Although the mobile app generates a new version_UUID for each
+        # report update or deletion, the reports are versioned, and
+        # only the original UUID is preserved. If the provided UUID is not
+        # found, indicating an update/deletion, image saving is bypassed.
+        if not Report.objects.filter(pk=serializer.report).exists():
+            return
+        else:
+            super().perform_create(serializer=serializer)
+
 
 # For production version, substitute WriteOnlyModelViewSet
 class FixViewSet(ReadWriteOnlyModelViewSet):
