Disallow modifying DRAFT object ID

Update to catch and respond to attempts to modify the DRAFT object_id. Changes to be committed: modified: api/scripts/method_specific/POST_api_objects_drafts_modify.py modified: api/scripts/utilities/DbUtils.py
biocompute-objects · Aug 6, 2022 · 0c278b7 · 0c278b7
1 parent 0701ad9
commit 0c278b7
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/bco_api/api/scripts/method_specific/POST_api_objects_drafts_modify.py b/bco_api/api/scripts/method_specific/POST_api_objects_drafts_modify.py
@@ -35,7 +35,7 @@ def post_api_objects_drafts_modify(request):
         An HttpResponse that allows its data to be rendered into arbitrary
         media types. As this view is for a bulk operation, status 200 means
         that the request was successfully processed for each item in the
-        request. A status of 300 means that some of the requests were
+        request. A status of 207 means that some of the requests were
         successfull.
     """
 
@@ -69,6 +69,19 @@ def post_api_objects_drafts_modify(request):
             # object-level change permissions OR if they are in a
             # group that has object-level change permissions.
             # To check these options, we need the actual object.
+
+            if draft_object['object_id'] != draft_object["contents"]["object_id"]:
+                returning.append(
+                    db_utils.messages(
+                        parameters={
+                            "object_id": draft_object["contents"]["object_id"],
+                            "draft_object_id": draft_object["object_id"]
+                            }
+                    )["409_draft_object_id_conflict"]
+                )
+                any_failed = True
+                continue
+
             if BCO.objects.filter(
                 object_id=draft_object["contents"]["object_id"]
             ).exists():
@@ -136,8 +149,8 @@ def post_api_objects_drafts_modify(request):
         if returning[0]["status_code"] == "403":
             return Response(status=status.HTTP_403_FORBIDDEN, data=returning)
         else:
-            return Response(status=status.HTTP_300_MULTIPLE_CHOICES, data=returning)
+            return Response(status=status.HTTP_207_MULTI_STATUS, data=returning)
     if any_failed and len(returning) > 1:
-        return Response(status=status.HTTP_300_MULTIPLE_CHOICES, data=returning)
+        return Response(status=status.HTTP_207_MULTI_STATUS, data=returning)
     else:
         return Response(status=status.HTTP_200_OK, data=returning)
diff --git a/bco_api/api/scripts/utilities/DbUtils.py b/bco_api/api/scripts/utilities/DbUtils.py
@@ -740,6 +740,15 @@ def messages(self, parameters, p_content=False):
                 + parameters["object_id"]
                 + " has already been created on this server.",
             },
+            "409_draft_object_id_conflict": {
+                "request_status": "FAILURE",
+                "status_code": "409",
+                "message": "The provided object_id "
+                + parameters["object_id"]
+                + " does not match the saved draft object_id "
+                + parameters["draft_object_id"]
+                + ". Once a draft is created you can not change the object id.",
+            },
             "409_object_id_conflict": {
                 "request_status": "FAILURE",
                 "status_code": "409",