🛂(backend) use playlist token in deposit apis

As we are now using playlist tokens, it has to be allowed on apis.

src/backend/marsha/deposit/api.py

@@ -107,7 +107,7 @@ def get_permissions(self):
             ]
         elif self.action in ["retrieve"]:
             permission_classes = [
-                core_permissions.IsTokenResourceRouteObject
+                core_permissions.IsPlaylistToken
                 & (
                     core_permissions.IsTokenInstructor
                     | core_permissions.IsTokenAdmin
@@ -118,7 +118,7 @@ def get_permissions(self):
         elif self.action in ["update", "partial_update", "destroy"]:
             permission_classes = [
                 (
-                    core_permissions.IsTokenResourceRouteObject
+                    core_permissions.IsPlaylistToken
                     & (
                         core_permissions.IsTokenInstructor
                         | core_permissions.IsTokenAdmin
@@ -243,7 +243,7 @@ def get_permissions(self):
                 | core_permissions.IsTokenStudent
                 | core_permissions.UserIsAuthenticated
             ]
-        elif self.action in ["create", "list", "metadata"]:
+        elif self.action in ["list", "metadata"]:
             permission_classes = [
                 core_permissions.IsTokenInstructor
                 | core_permissions.IsTokenAdmin

src/backend/marsha/deposit/permissions.py

@@ -1,9 +1,8 @@
 """Custom permission classes for the Deposit app."""
-from django.core.exceptions import ObjectDoesNotExist
-
 from rest_framework import permissions
 
 from marsha.core import models
+from marsha.deposit.models import FileDepository
 
 
 def _is_organization_admin(user_id, file_depository_id):
@@ -59,12 +58,10 @@ def has_permission(self, request, view):
         """
         if not request.resource:
             return False
-        try:
-            return (
-                str(view.get_related_object().file_depository.id) == request.resource.id
-            )
-        except ObjectDoesNotExist:
-            return False
+
+        return FileDepository.objects.filter(
+            pk=view.get_related_filedepository_id(), playlist_id=request.resource.id
+        ).exists()
 
 
 class IsFileDepositoryPlaylistOrOrganizationAdmin(permissions.BasePermission):

src/backend/marsha/deposit/serializers.py

@@ -83,13 +83,10 @@ def create(self, validated_data):
         """
         resource = self.context["request"].resource
         user = self.context["request"].user
-        file_depository_id = self.context["request"].data.get("file_depository_id")
+        file_depository_id = self.context["view"].get_related_filedepository_id()
 
         if not validated_data.get("file_depository_id"):
-            if resource:
-                validated_data["file_depository_id"] = resource.id
-            elif file_depository_id:
-                validated_data["file_depository_id"] = file_depository_id
+            validated_data["file_depository_id"] = file_depository_id
 
         if resource:
             validated_data["author_id"] = resource.user.get("id")

src/backend/marsha/deposit/tests/api/depositedfiles/test_create.py

@@ -42,7 +42,7 @@ def test_api_deposited_file_create_student_with_user_fullname(self):
         """
 
         file_depository = FileDepositoryFactory()
-        jwt_token = StudentLtiTokenFactory(resource=file_depository)
+        jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)
 
         response = self.client.post(
             f"/api/filedepositories/{file_depository.id}/depositedfiles/",
@@ -89,7 +89,9 @@ def test_api_deposited_file_create_student_with_username(self):
 
         file_depository = FileDepositoryFactory()
         jwt_token = StudentLtiTokenFactory(
-            resource=file_depository, user__user_fullname=None, user__username="student"
+            resource=file_depository.playlist,
+            user__user_fullname=None,
+            user__username="student",
         )
 
         response = self.client.post(
@@ -121,7 +123,9 @@ def test_api_deposited_file_create_student_without_username(self):
 
         file_depository = FileDepositoryFactory()
         jwt_token = StudentLtiTokenFactory(
-            resource=file_depository, user__user_fullname=None, user__username=None
+            resource=file_depository.playlist,
+            user__user_fullname=None,
+            user__username=None,
         )
 
         response = self.client.post(

src/backend/marsha/deposit/tests/api/depositedfiles/test_initiate_upload.py

@@ -49,7 +49,9 @@ def test_api_deposited_file_initiate_upload_student(self):
             upload_state=random.choice(["ready", "error"]),
             file_depository__id="ed08da34-7447-4141-96ff-5740315d7b99",
         )
-        jwt_token = StudentLtiTokenFactory(resource=deposited_file.file_depository)
+        jwt_token = StudentLtiTokenFactory(
+            resource=deposited_file.file_depository.playlist
+        )
 
         now = datetime(2018, 8, 8, tzinfo=baseTimezone.utc)
         with mock.patch.object(timezone, "now", return_value=now), mock.patch(
@@ -106,7 +108,9 @@ def test_api_deposited_file_initiate_upload_file_without_size(self):
             upload_state=random.choice(["ready", "error"]),
             file_depository__id="ed08da34-7447-4141-96ff-5740315d7b99",
         )
-        jwt_token = StudentLtiTokenFactory(resource=deposited_file.file_depository)
+        jwt_token = StudentLtiTokenFactory(
+            resource=deposited_file.file_depository.playlist
+        )
 
         now = datetime(2018, 8, 8, tzinfo=baseTimezone.utc)
         with mock.patch.object(timezone, "now", return_value=now), mock.patch(
@@ -134,7 +138,9 @@ def test_api_deposited_file_initiate_upload_file_too_large(self):
             upload_state=random.choice(["ready", "error"]),
             file_depository__id="ed08da34-7447-4141-96ff-5740315d7b99",
         )
-        jwt_token = StudentLtiTokenFactory(resource=deposited_file.file_depository)
+        jwt_token = StudentLtiTokenFactory(
+            resource=deposited_file.file_depository.playlist
+        )
 
         now = datetime(2018, 8, 8, tzinfo=baseTimezone.utc)
         with mock.patch.object(timezone, "now", return_value=now), mock.patch(

src/backend/marsha/deposit/tests/api/filedepositories/test_create.py

@@ -66,7 +66,7 @@ def test_api_file_depository_create_student_with_playlist_token(self):
     def test_api_file_depository_create_instructor(self):
         """An instructor without playlist token should not be able to create a file_depository."""
         file_depository = FileDepositoryFactory()
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
 
         response = self.client.post(
             "/api/filedepositories/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"

src/backend/marsha/deposit/tests/api/filedepositories/test_delete.py

@@ -54,7 +54,7 @@ def test_api_file_depository_delete_user_logged_in(self):
     def test_api_file_depository_delete_student(self):
         """A student user should not be able to delete a file_depository."""
         file_depository = FileDepositoryFactory()
-        jwt_token = StudentLtiTokenFactory(resource=file_depository)
+        jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)
 
         self.assertEqual(FileDepository.objects.count(), 1)
         response = self.client.delete(
@@ -69,7 +69,7 @@ def test_api_file_depository_delete_instructor_read_only(self):
         """An instructor should not be able to delete a file_depository in read_only."""
         file_depository = FileDepositoryFactory()
         jwt_token = InstructorOrAdminLtiTokenFactory(
-            resource=file_depository,
+            resource=file_depository.playlist,
             permissions__can_update=False,
         )
 
@@ -85,7 +85,7 @@ def test_api_file_depository_delete_instructor_read_only(self):
     def test_api_file_depository_delete_instructor(self):
         """An instructor should be able to delete a file_depository."""
         file_depository = FileDepositoryFactory()
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
 
         self.assertEqual(FileDepository.objects.count(), 1)
         response = self.client.delete(

src/backend/marsha/deposit/tests/api/filedepositories/test_depositedfiles.py

@@ -51,7 +51,7 @@ def test_api_file_depository_list_deposited_files_student(self):
         DepositedFileFactory.create_batch(3, file_depository=file_depository)
         owned_deposited_file = DepositedFileFactory(file_depository=file_depository)
         jwt_token = StudentLtiTokenFactory(
-            resource=file_depository,
+            resource=file_depository.playlist,
             permissions__can_update=True,
             user__id=owned_deposited_file.author_id,
             user__full_username=owned_deposited_file.author_name,
@@ -90,7 +90,7 @@ def test_api_file_depository_list_deposited_files_instructor(self):
         deposited_files = DepositedFileFactory.create_batch(
             3, file_depository=file_depository
         )
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
 
         response = self.client.get(
             f"/api/filedepositories/{file_depository.id}/depositedfiles/?limit=2",
@@ -140,7 +140,7 @@ def test_api_file_depository_list_deposited_files_instructor_filtered(self):
         deposited_files_new = DepositedFileFactory.create_batch(
             2, file_depository=file_depository
         )
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
 
         response = self.client.get(
             f"/api/filedepositories/{file_depository.id}/depositedfiles/?limit=10",
@@ -291,7 +291,7 @@ def test_api_file_depository_list_deposited_files_instructor_signed_urls(self):
         deposited_files = DepositedFileFactory.create_batch(
             3, file_depository=file_depository, uploaded_on=now
         )
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
 
         now = datetime(2021, 11, 30, tzinfo=baseTimezone.utc)
         with mock.patch.object(timezone, "now", return_value=now), mock.patch(

src/backend/marsha/deposit/tests/api/filedepositories/test_list.py

@@ -43,7 +43,7 @@ def test_api_file_depository_fetch_list_student(self):
         """A student should not be able to fetch a list of file_depository."""
         file_depository = FileDepositoryFactory()
         jwt_token = StudentLtiTokenFactory(
-            resource=file_depository,
+            resource=file_depository.playlist,
             permissions__can_update=True,
         )
 
@@ -55,7 +55,7 @@ def test_api_file_depository_fetch_list_student(self):
     def test_api_file_depository_fetch_list_instructor(self):
         """An instructor should not be able to fetch a file_depository list."""
         file_depository = FileDepositoryFactory()
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
 
         response = self.client.get(
             "/api/filedepositories/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"

src/backend/marsha/deposit/tests/api/filedepositories/test_retrieve.py

@@ -38,7 +38,7 @@ def setUpClass(cls):
     def test_api_file_depository_fetch_student(self):
         """A student should be allowed to fetch a file_depository."""
         file_depository = FileDepositoryFactory()
-        jwt_token = StudentLtiTokenFactory(resource=file_depository)
+        jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)
 
         response = self.client.get(
             f"/api/filedepositories/{file_depository.id!s}/",
@@ -68,7 +68,7 @@ def test_api_file_depository_fetch_from_other_file_depository(self):
         """
         file_depository = FileDepositoryFactory()
         other_file_depository = FileDepositoryFactory()
-        jwt_token = StudentLtiTokenFactory(resource=other_file_depository)
+        jwt_token = StudentLtiTokenFactory(resource=other_file_depository.playlist)
 
         response = self.client.get(
             f"/api/filedepositories/{file_depository.id!s}/",
@@ -79,7 +79,7 @@ def test_api_file_depository_fetch_from_other_file_depository(self):
     def test_api_file_depository_fetch_instructor(self):
         """An instructor should be able to fetch a file_depository."""
         file_depository = FileDepositoryFactory()
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
 
         response = self.client.get(
             f"/api/filedepositories/{file_depository.id!s}/",

src/backend/marsha/deposit/tests/api/filedepositories/test_update.py

@@ -55,7 +55,7 @@ def test_api_file_depository_update_user_logged_in(self):
     def test_api_file_depository_update_student(self):
         """A student user should not be able to update a file_depository."""
         file_depository = FileDepositoryFactory()
-        jwt_token = StudentLtiTokenFactory(resource=file_depository)
+        jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)
         data = {"title": "new title"}
 
         response = self.client.patch(
@@ -70,7 +70,7 @@ def test_api_file_depository_update_instructor_read_only(self):
         """An instructor should not be able to update a file_depository in read_only."""
         file_depository = FileDepositoryFactory()
         jwt_token = InstructorOrAdminLtiTokenFactory(
-            resource=file_depository,
+            resource=file_depository.playlist,
             permissions__can_update=False,
         )
         data = {"title": "new title"}
@@ -86,7 +86,7 @@ def test_api_file_depository_update_instructor_read_only(self):
     def test_api_file_depository_update_instructor(self):
         """An instructor should be able to update a file_depository."""
         file_depository = FileDepositoryFactory()
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
         data = {"title": "new title", "description": "Hello"}
 
         response = self.client.patch(

src/backend/marsha/deposit/tests/api/test_options.py

@@ -29,7 +29,7 @@ def test_api_deposited_files_options_as_student(self):
         """A student can fetch the deposited files options endpoint"""
 
         file_depository = FileDepositoryFactory()
-        jwt_token = StudentLtiTokenFactory(resource=file_depository)
+        jwt_token = StudentLtiTokenFactory(resource=file_depository.playlist)
         response = self.client.options(
             f"/api/filedepositories/{file_depository.id}/depositedfiles/",
             HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
@@ -42,7 +42,7 @@ def test_api_deposited_files_options_instructor(self):
         """An instructor can fetch the deposited files options endpoint"""
 
         file_depository = FileDepositoryFactory()
-        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository)
+        jwt_token = InstructorOrAdminLtiTokenFactory(resource=file_depository.playlist)
 
         response = self.client.options(
             f"/api/filedepositories/{file_depository.id}/depositedfiles/",