feat(controller): allow users to transfer app ownership.

Author: Joshua Anderson

api/__init__.py

@@ -2,4 +2,4 @@
 The **api** Django app presents a RESTful web API for interacting with the **deis** system.
 """
 
-__version__ = '1.6.0'
+__version__ = '1.7.0'

api/fixtures/tests.json

@@ -34,5 +34,23 @@
         "email": "autotest2@deis.io",
         "date_joined": "2013-05-10T16:08:09.357Z"
     }
+},
+{
+    "pk": 9,
+    "model": "auth.user",
+    "fields": {
+        "username": "autotest3",
+        "first_name": "Otto",
+        "last_name": "Test",
+        "is_active": true,
+        "is_superuser": false,
+        "is_staff": false,
+        "last_login": "2013-05-10T16:08:09.357Z",
+        "groups": [],
+        "user_permissions": [],
+        "password": "pbkdf2_sha256$10000$5Uoq7dl61vnN$gQhDpc2q2Rkn16VdPC+pNNEQcKpy+LGe29Zkad+2/m4=",
+        "email": "autotest3@deis.io",
+        "date_joined": "2013-05-10T16:08:09.357Z"
+    }
 }
 ]

api/tests/test_app.py

@@ -324,6 +324,52 @@ def test_app_info_not_showing_wrong_app(self):
         response = self.client.get(url, HTTP_AUTHORIZATION='token {}'.format(self.token))
         self.assertEqual(response.status_code, 404)
 
+    def test_app_transfer(self):
+        owner = User.objects.get(username='autotest2')
+        owner_token = Token.objects.get(user=owner).key
+        app_id = 'autotest'
+        base_url = '/v1/apps'
+        body = {'id': app_id}
+        response = self.client.post(base_url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(owner_token))
+        # Transfer App
+        url = '{}/{}'.format(base_url, app_id)
+        new_owner = User.objects.get(username='autotest3')
+        new_owner_token = Token.objects.get(user=new_owner).key
+        body = {'owner': new_owner.username}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(owner_token))
+        self.assertEqual(response.status_code, 200)
+
+        # Original user can no longer access it
+        response = self.client.get(url, HTTP_AUTHORIZATION='token {}'.format(owner_token))
+        self.assertEqual(response.status_code, 403)
+
+        # New owner can access it
+        response = self.client.get(url, HTTP_AUTHORIZATION='token {}'.format(new_owner_token))
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data['owner'], new_owner.username)
+
+        # Collaborators can't transfer
+        body = {'username': owner.username}
+        perms_url = url+"/perms/"
+        response = self.client.post(perms_url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(new_owner_token))
+        self.assertEqual(response.status_code, 201)
+        body = {'owner': self.user.username}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(owner_token))
+        self.assertEqual(response.status_code, 403)
+
+        # Admins can transfer
+        body = {'owner': self.user.username}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 200)
+        response = self.client.get(url, HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data['owner'], self.user.username)
+
 
 FAKE_LOG_DATA = """
 2013-08-15 12:41:25 [33454] [INFO] Starting gunicorn 17.5

api/tests/test_users.py

@@ -21,9 +21,7 @@ def test_super_user_can_list(self):
                                    HTTP_AUTHORIZATION='token {}'.format(token))
 
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(len(response.data['results']), 2)
-        self.assertEqual(response.data['results'][0]['username'], 'autotest')
-        self.assertEqual(response.data['results'][1]['username'], 'autotest2')
+        self.assertEqual(len(response.data['results']), 3)
 
     def test_non_super_user_cannot_list(self):
         url = '/v1/users/'

api/urls.py

@@ -63,7 +63,7 @@
         views.AppPermsViewSet.as_view({'get': 'list', 'post': 'create'})),
     # apps base endpoint
     url(r"^apps/(?P<id>{})/?".format(settings.APP_URL_REGEX),
-        views.AppViewSet.as_view({'get': 'retrieve', 'delete': 'destroy'})),
+        views.AppViewSet.as_view({'get': 'retrieve', 'post': 'update', 'delete': 'destroy'})),
     url(r'^apps/?',
         views.AppViewSet.as_view({'get': 'list', 'post': 'create'})),
     # key

api/views.py

@@ -224,6 +224,17 @@ def run(self, request, **kwargs):
         return Response(output_and_rc, status=status.HTTP_200_OK,
                         content_type='text/plain')
 
+    def update(self, request, **kwargs):
+        app = self.get_object()
+
+        if request.data.get('owner'):
+            if self.request.user != app.owner and not self.request.user.is_superuser:
+                raise PermissionDenied()
+            new_owner = get_object_or_404(User, username=request.data['owner'])
+            app.owner = new_owner
+        app.save()
+        return Response(status=status.HTTP_200_OK)
+
 
 class BuildViewSet(ReleasableViewSet):
     """A viewset for interacting with Build objects."""