Merge pull request #24 from segment-oj/fix-response-ztl

Fix response ztl

Author: szdytom

account/tests.py

@@ -169,7 +169,7 @@ def testL0_change_not_admin(self):
         request = self.factory.patch(self.base_url, data=request_data, format="json")
         force_authenticate(request, User.objects.get(username="testuser"))
         res = self.view(request, uid=2)
-        self.assertEqual(res.status_code, status.HTTP_204_NO_CONTENT)
+        self.assertEqual(res.status_code, status.HTTP_403_FORBIDDEN)
 
         target = User.objects.get(id=2)
         self.assertEqual(target.is_active, ac_data["is_active"])

account/views.py

@@ -137,15 +137,31 @@ def post(self, request):
     def patch(self, request, uid):
         data = request.data
         user = get_object_or_404(User, id=uid)
+
         if not request.user.has_perm("account.change_user"):
             if request.user.id != user.id:
                 return Response({
                     "detail": "You have no permission to change this user"
                 }, status=status.HTTP_403_FORBIDDEN)
-            
-            data.pop("is_active", None)
-            data.pop("is_staff", None)
-            data.pop("is_superuser", None)
+
+            request_is_active = data.get("is_active")
+            request_is_staff = data.get("is_staff")
+            request_is_superuser = data.get("is_superuser")
+
+            if request_is_active != None and request_is_active != user.is_active:
+                return Response({
+                    "detail": "You have no permission to change this user"
+                }, status=status.HTTP_403_FORBIDDEN)
+
+            if request_is_staff != None and request_is_staff != user.is_active:
+                return Response({
+                    "detail": "You have no permission to change this user"
+                }, status=status.HTTP_403_FORBIDDEN)
+
+            if request_is_superuser != None and request_is_superuser != user.is_superuser:
+                return Response({
+                    "detail": "You have no permission to change this user"
+                }, status=status.HTTP_403_FORBIDDEN)
 
         us = AccountSerializer(user, data=data, partial=True)
         us.is_valid(raise_exception=True)

problem/serializers.py

@@ -32,12 +32,10 @@ class ProblemDescriptionSerializer(serializers.ModelSerializer):
     class Meta:
         model = Problem
         fields = [
-            "pid",
             "description",
         ]
 
         depth = 0
-        read_only_fields = ["id"]
 
 class TagSerializer(serializers.ModelSerializer):
 

problem/views.py

@@ -163,7 +163,6 @@ def get(self, request):
         ts = TagSerializer(queryset, many=True)
 
         return Response({
-            "detail": "Success",
             "count": queryset.count(),
             "res": ts.data
         }, status=status.HTTP_200_OK)