Уточнён контекстный API модуля News

Author: Toksi86

docs/modules/news.md

@@ -47,10 +47,10 @@ generic relation:
   различения обычной новости и feed-записи.
 - `news/querysets.py` - явные queryset helpers по контексту URL: project, user
   или partner program.
-- `news/views.py` - общий API для list/create/detail/update/delete, set_viewed и
-  set_liked.
-- `news/serializers.py` - request/response serializers для создания, списка и
-  detail.
+- `news/views.py` - контекстный API для list/create/detail/update/delete,
+  set_viewed и set_liked.
+- `news/serializers.py` - request serializers и response serializers,
+  разделенные по контекстам project/user/program.
 - `news/permissions.py` - права на создание и изменение новости в зависимости от
   связанного объекта.
 - `news/admin.py` - админка `News`.
@@ -89,9 +89,6 @@ Feed-запись определяется через helper `is_feed_record(new
 
 Связанные endpoints:
 
-- `GET /news/` - подключен напрямую, но без контекста возвращает пустой список.
-- `GET /news/<news_id>/` - подключен напрямую, но без контекста не является
-  основным пользовательским сценарием.
 - `GET /feed/?type=...` - общая лента, которая читает данные из `News`.
 
 ## Основные сценарии
@@ -143,8 +140,7 @@ Feed-запись определяется через helper `is_feed_record(new
 - Новость проекта может создавать и изменять только лидер проекта.
 - Новость пользователя может создавать и изменять только сам пользователь.
 - Новость программы может создавать и изменять только менеджер программы.
-- Прямой `/news/` без project/user/program context не является основным
-  пользовательским API.
+- Вложения новости должны ссылаться только на `UserFile` текущего пользователя.
 - Несуществующий project/user/program context возвращает `404`.
 - Проектные новости реализованы через `news.News`.
 

news/serializers.py

@@ -2,6 +2,7 @@
 from rest_framework import serializers
 
 from core.services import is_fan, get_likes_count, get_views_count
+from files.models import UserFile
 from files.serializers import UserFileSerializer
 from news.mapping import NewsMapping
 from news.models import News
@@ -10,7 +11,20 @@
 User = get_user_model()
 
 
-class NewsCreateSerializer(serializers.ModelSerializer[News]):
+class NewsInputSerializer(serializers.ModelSerializer[News]):
+    files = serializers.PrimaryKeyRelatedField(
+        queryset=UserFile.objects.none(),
+        many=True,
+        required=False,
+    )
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        request = self.context.get("request")
+        user = getattr(request, "user", None)
+        if user and user.is_authenticated:
+            self.fields["files"].queryset = UserFile.objects.filter(user=user)
+
     class Meta:
         model = News
         fields = [
@@ -19,13 +33,20 @@ class Meta:
         ]
 
 
-class NewsListResponseSerializer(serializers.ModelSerializer[News]):
+class NewsCreateSerializer(NewsInputSerializer):
+    pass
+
+
+class NewsUpdateSerializer(NewsInputSerializer):
+    pass
+
+
+class BaseNewsResponseSerializer(serializers.ModelSerializer[News]):
     views_count = serializers.SerializerMethodField()
     likes_count = serializers.SerializerMethodField()
     name = serializers.SerializerMethodField()
     image_address = serializers.SerializerMethodField()
     is_user_liked = serializers.SerializerMethodField()
-    files = UserFileSerializer(many=True)
 
     def get_name(self, obj):
         return NewsMapping.get_name(obj.content_object)
@@ -45,6 +66,10 @@ def get_is_user_liked(self, obj):
             return is_fan(obj, user)
         return False
 
+
+class BaseNewsListResponseSerializer(BaseNewsResponseSerializer):
+    files = UserFileSerializer(many=True)
+
     class Meta:
         model = News
         fields = [
@@ -62,30 +87,19 @@ class Meta:
         read_only_fields = ["pin"]
 
 
-class NewsDetailResponseSerializer(serializers.ModelSerializer):
-    views_count = serializers.SerializerMethodField()
-    likes_count = serializers.SerializerMethodField()
-    name = serializers.SerializerMethodField()
-    image_address = serializers.SerializerMethodField()
-    is_user_liked = serializers.SerializerMethodField()
+class ProjectNewsListResponseSerializer(BaseNewsListResponseSerializer):
+    pass
 
-    def get_name(self, obj):
-        return NewsMapping.get_name(obj.content_object)
 
-    def get_image_address(self, obj):
-        return NewsMapping.get_image_address(obj.content_object)
+class UserNewsListResponseSerializer(BaseNewsListResponseSerializer):
+    pass
 
-    def get_views_count(self, obj):
-        return get_views_count(obj)
 
-    def get_likes_count(self, obj):
-        return get_likes_count(obj)
+class ProgramNewsListResponseSerializer(BaseNewsListResponseSerializer):
+    pass
 
-    def get_is_user_liked(self, obj):
-        user = self.context.get("user")
-        if user:
-            return is_fan(obj, user)
-        return False
+
+class BaseNewsDetailResponseSerializer(BaseNewsResponseSerializer):
 
     class Meta:
         model = News
@@ -103,3 +117,15 @@ class Meta:
             "files",
         ]
         read_only_fields = ["pin"]
+
+
+class ProjectNewsDetailResponseSerializer(BaseNewsDetailResponseSerializer):
+    pass
+
+
+class UserNewsDetailResponseSerializer(BaseNewsDetailResponseSerializer):
+    pass
+
+
+class ProgramNewsDetailResponseSerializer(BaseNewsDetailResponseSerializer):
+    pass

news/tests/test_news_project_api.py

@@ -5,7 +5,7 @@
 from core.models import Like, View
 from news.models import News
 
-from .helpers import create_news_for, create_project, create_user
+from .helpers import create_news_for, create_project, create_user, create_user_file
 
 
 class ProjectScopedNewsAPITests(TestCase):
@@ -28,6 +28,27 @@ def test_project_leader_can_create_project_news(self):
         self.assertEqual(news.content_object, self.project)
         self.assertEqual(news.text, "Project news")
 
+    def test_project_news_create_rejects_file_of_another_user(self):
+        self.client.force_authenticate(self.leader)
+        another_user = create_user(prefix="project-news-file-owner")
+        another_user_file = create_user_file(another_user)
+
+        response = self.client.post(
+            f"/projects/{self.project.id}/news/",
+            {
+                "text": "Project news with forbidden file",
+                "files": [another_user_file.link],
+            },
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, 400)
+        self.assertFalse(
+            News.objects.get_news(self.project)
+            .filter(text="Project news with forbidden file")
+            .exists()
+        )
+
     def test_non_leader_cannot_create_project_news(self):
         self.client.force_authenticate(create_user(prefix="project-news-outsider"))
 
@@ -78,6 +99,26 @@ def test_project_news_detail_can_be_updated_and_deleted_by_leader(self):
         self.assertEqual(delete_response.status_code, 204)
         self.assertFalse(News.objects.filter(pk=news.id).exists())
 
+    def test_project_news_update_rejects_file_of_another_user(self):
+        self.client.force_authenticate(self.leader)
+        leader_file = create_user_file(self.leader, name="leader-file")
+        another_user = create_user(prefix="project-news-update-file-owner")
+        another_user_file = create_user_file(another_user, name="foreign-file")
+        news = create_news_for(
+            self.project,
+            text="Initial text",
+            files=[leader_file],
+        )
+
+        response = self.client.patch(
+            f"/projects/{self.project.id}/news/{news.id}/",
+            {"files": [another_user_file.link]},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(list(news.files.all()), [leader_file])
+
     def test_project_news_can_be_marked_viewed_and_liked(self):
         user = create_user(prefix="project-news-reader")
         self.client.force_authenticate(user)

news/urls.py

@@ -12,8 +12,13 @@
 from news.querysets import get_news_queryset_for_context
 from news.serializers import (
     NewsCreateSerializer,
-    NewsDetailResponseSerializer,
-    NewsListResponseSerializer,
+    NewsUpdateSerializer,
+    ProgramNewsDetailResponseSerializer,
+    ProgramNewsListResponseSerializer,
+    ProjectNewsDetailResponseSerializer,
+    ProjectNewsListResponseSerializer,
+    UserNewsDetailResponseSerializer,
+    UserNewsListResponseSerializer,
 )
 from news.services import (
     create_program_news,
@@ -27,75 +32,115 @@
 User = get_user_model()
 
 
+LIST_RESPONSE_SERIALIZERS = {
+    "project": ProjectNewsListResponseSerializer,
+    "user": UserNewsListResponseSerializer,
+    "program": ProgramNewsListResponseSerializer,
+}
+
+DETAIL_RESPONSE_SERIALIZERS = {
+    "project": ProjectNewsDetailResponseSerializer,
+    "user": UserNewsDetailResponseSerializer,
+    "program": ProgramNewsDetailResponseSerializer,
+}
+
+
 class ContextNewsAPIView:
     def get_queryset(self):
         return get_news_queryset_for_context(self.kwargs)
 
     def get_news_object(self):
         return get_object_or_404(self.get_queryset(), pk=self.kwargs["pk"])
 
+    def get_news_context(self):
+        if self.kwargs.get("project_pk") is not None:
+            return "project"
+        if self.kwargs.get("user_pk") is not None:
+            return "user"
+        if self.kwargs.get("partnerprogram_pk") is not None:
+            return "program"
+        return None
+
+    def get_list_response_serializer_class(self):
+        return LIST_RESPONSE_SERIALIZERS[self.get_news_context()]
+
+    def get_detail_response_serializer_class(self):
+        return DETAIL_RESPONSE_SERIALIZERS[self.get_news_context()]
+
 
 class NewsList(ContextNewsAPIView, generics.ListCreateAPIView):
-    serializer_class = NewsListResponseSerializer
+    serializer_class = ProjectNewsListResponseSerializer
     permission_classes = [ProjectVisibilityPermission, IsNewsCreatorOrReadOnly]
     pagination_class = NewsPagination
 
     def post(self, request: Request, *args, **kwargs) -> Response:
-        serializer = NewsCreateSerializer(data=request.data)
+        serializer = NewsCreateSerializer(
+            data=request.data,
+            context={"request": request},
+        )
         serializer.is_valid(raise_exception=True)
         data = serializer.validated_data
 
         if kwargs.get("project_pk"):
             project = get_object_or_404(Project, pk=kwargs["project_pk"])
             news = create_project_news(project, request.user, data)
             return Response(
-                NewsDetailResponseSerializer(news).data,
+                self.get_detail_response_serializer_class()(news).data,
                 status=status.HTTP_201_CREATED,
             )
         if kwargs.get("user_pk"):
             user = get_object_or_404(User, pk=kwargs["user_pk"])
             news = create_user_news(user, request.user, data)
             return Response(
-                NewsDetailResponseSerializer(news).data,
+                self.get_detail_response_serializer_class()(news).data,
                 status=status.HTTP_201_CREATED,
             )
 
         if kwargs.get("partnerprogram_pk"):
             program = get_object_or_404(PartnerProgram, pk=kwargs["partnerprogram_pk"])
             news = create_program_news(program, request.user, data)
             return Response(
-                NewsDetailResponseSerializer(news).data,
+                self.get_detail_response_serializer_class()(news).data,
                 status=status.HTTP_201_CREATED,
             )
         return Response(status=status.HTTP_400_BAD_REQUEST)
 
     def get(self, request: Request, *args, **kwargs) -> Response:
         news = self.paginate_queryset(self.get_queryset())
         context = {"user": request.user}
-        serializer = NewsListResponseSerializer(news, context=context, many=True)
+        serializer = self.get_list_response_serializer_class()(
+            news,
+            context=context,
+            many=True,
+        )
         return self.get_paginated_response(serializer.data)
 
 
 class NewsDetail(ContextNewsAPIView, generics.RetrieveUpdateDestroyAPIView):
-    serializer_class = NewsDetailResponseSerializer
+    serializer_class = ProjectNewsDetailResponseSerializer
     permission_classes = [ProjectVisibilityPermission, IsNewsCreatorOrReadOnly]
 
     def get(self, request: Request, *args, **kwargs) -> Response:
         news = self.get_news_object()
         context = {"user": request.user}
-        return Response(NewsDetailResponseSerializer(news, context=context).data)
+        return Response(
+            self.get_detail_response_serializer_class()(news, context=context).data
+        )
 
     def update(self, request: Request, *args, **kwargs) -> Response:
         news = self.get_news_object()
         context = {"user": request.user}
-        serializer = NewsDetailResponseSerializer(
+        serializer = NewsUpdateSerializer(
             news,
             data=request.data,
-            context=context,
+            context={"request": request},
+            partial=kwargs.get("partial", False),
         )
         serializer.is_valid(raise_exception=True)
         serializer.save()
-        return Response(serializer.data)
+        return Response(
+            self.get_detail_response_serializer_class()(news, context=context).data
+        )
 
 
 class NewsDetailSetViewed(ContextNewsAPIView, generics.CreateAPIView):

news/views.py

@@ -45,7 +45,6 @@
     ),
     path("files/", include("files.urls", namespace="files")),
     path("industries/", include("industries.urls", namespace="industries")),
-    path("news/", include("news.urls", namespace="news")),
     path("projects/", include("projects.urls", namespace="projects")),
     path("vacancies/", include("vacancy.urls", namespace="vacancies")),
     path("core/", include("core.urls", namespace="core")),