feat: API for changing suggestion state

fricklerhandwerk · fricklerhandwerk · commit 6d8134c673fb · 2026-04-30T15:53:19.000+02:00
diff --git a/src/api/tests/test_api.py b/src/api/tests/test_api.py
@@ -1,5 +1,6 @@
 from collections.abc import Callable
 
+from django.contrib.auth.models import User
 from rest_framework.reverse import reverse
 from rest_framework.test import APIClient
 
@@ -55,3 +56,20 @@ def test_published_issue(
     response = client.get(url, {"cve": "CVE-9999-0000"})
     assert response.status_code == 200
     assert len(response.data) == 0
+
+
+# TODO(@fricklerhandwerk): Exercise all state sequences
+def test_suggestion_change_state(
+    cached_suggestion: CVEDerivationClusterProposal,
+    staff: User,
+) -> None:
+    client = APIClient()
+    client.force_login(staff)
+    response = client.post(
+        f"/api/v1/suggestions/{cached_suggestion.pk}/change_status",
+        {
+            "status": CVEDerivationClusterProposal.Status.ACCEPTED,
+        },
+        format="json",
+    )
+    assert response.status_code == 200
diff --git a/src/api/urls.py b/src/api/urls.py
@@ -1,10 +1,11 @@
 from django.urls import include, path
 from rest_framework import routers
 
-from api.views import NixpkgsIssueViewSet
+from api.views import NixpkgsIssueViewSet, SuggestionViewSet
 
-v1_router = routers.DefaultRouter()
+v1_router = routers.DefaultRouter(trailing_slash=False)
 v1_router.register(r"issues", NixpkgsIssueViewSet)
+v1_router.register("suggestions", SuggestionViewSet)
 
 urlpatterns = [
     path("v1/", include(v1_router.urls)),
diff --git a/src/api/views.py b/src/api/views.py
@@ -1,8 +1,13 @@
 from django_filters import rest_framework as filters
 from rest_framework import serializers, viewsets
-from rest_framework.permissions import AllowAny
+from rest_framework.decorators import action
+from rest_framework.permissions import AllowAny, BasePermission, IsAuthenticated
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
 
-from shared.models import NixpkgsIssue
+from shared.auth import user_can_edit_suggestion
+from shared.models import CVEDerivationClusterProposal, NixpkgsIssue
 
 
 class StringInFilter(filters.BaseInFilter, filters.CharFilter):
@@ -39,3 +44,26 @@ class Meta:
         "suggestion__cve",
     ).all()
     serializer_class = Serializer
+
+
+class CanEditSuggestion(BasePermission):
+    def has_permission(self, request: Request, view: APIView) -> bool:  # pyright: ignore[reportIncompatibleMethodOverride]
+        return user_can_edit_suggestion(request.user)
+
+
+class SuggestionViewSet(viewsets.GenericViewSet):
+    class StatusSerializer(serializers.ModelSerializer):
+        class Meta:
+            model = CVEDerivationClusterProposal
+            extra_kwargs = {"status": {"required": True}}
+            fields = ["status", "rejection_reason", "comment"]
+
+    queryset = CVEDerivationClusterProposal.objects.all()
+    permission_classes = [IsAuthenticated, CanEditSuggestion]
+
+    @action(detail=True, methods=["post"], serializer_class=StatusSerializer)
+    def change_status(self, request: Request, pk: int) -> Response:
+        serializer = self.get_serializer(instance=self.get_object(), data=request.data)
+        serializer.is_valid(raise_exception=True)
+        serializer.save()
+        return Response(serializer.data)
diff --git a/src/shared/migrations/0083_alter_cvederivationclusterproposal_comment.py b/src/shared/migrations/0083_alter_cvederivationclusterproposal_comment.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.12 on 2026-04-30 13:39
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('shared', '0082_alter_derivationclusterproposallink_derivation_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='cvederivationclusterproposal',
+            name='comment',
+            field=models.CharField(blank=True, help_text='Optional free text comment for additional notes, context, dismissal reason', max_length=1000, null=True),
+        ),
+    ]
diff --git a/src/shared/models/linkage.py b/src/shared/models/linkage.py
@@ -59,7 +59,8 @@ class RejectionReason(models.TextChoices):
 
     comment = models.CharField(
         max_length=1000,
-        default="",
+        null=True,
+        blank=True,
         help_text=_(
             "Optional free text comment for additional notes, context, dismissal reason"
         ),
diff --git a/src/webview/suggestions/views/status.py b/src/webview/suggestions/views/status.py
@@ -75,6 +75,7 @@ def post(self, request: HttpRequest, suggestion_id: int) -> HttpResponse:
         github_issue_link = None  # Will be used if we publish
         # We keep track of the previous status to provide an undo action
         undo_status_target = suggestion.status
+        # TODO(@fricklerhandwerk): Move this business logic into the model, so it can be re-used in the REST API.
         # We keep track of the previous potential rejection_reason to be able to restore it during an undo
         undo_rejection_reason = suggestion.rejection_reason
         if new_status == "rejected":
