add collected in and node collections endpoints with tests

Author: Johnetordoff

api/nodes/permissions.py

@@ -183,6 +183,19 @@ def has_object_permission(self, request, view, obj):
             return request.method in permissions.SAFE_METHODS
         return True
 
+
+class ReadOnlyIfPublicOrContributor(permissions.BasePermission):
+    def has_object_permission(self, request, view, obj):
+        user_auth = get_user_auth(request)
+        node = view.get_node(check_object_permissions=False)  # recursion if true
+
+        # Allow if public
+        if node.is_public:
+            return True
+
+        # Allow if the user has read permission
+        return node.has_permission(user_auth.user, 'read')
+
 class ContributorDetailPermissions(permissions.BasePermission):
     """Permissions for contributor detail page."""
 

api/nodes/serializers.py

@@ -28,7 +28,7 @@
 from django.core.exceptions import ValidationError
 from framework.auth.core import Auth
 from framework.exceptions import PermissionsError
-from osf.models import Tag
+from osf.models import Tag, CollectionSubmission
 from rest_framework import serializers as ser
 from rest_framework import exceptions
 from addons.base.exceptions import InvalidAuthError, InvalidFolderError
@@ -324,6 +324,12 @@ class NodeSerializer(TaxonomizableSerializerMixin, JSONAPISerializer):
         related_meta={'count': 'get_node_count'},
     )
 
+    collected_in = RelationshipField(
+        related_view='nodes:node-collections',
+        related_view_kwargs={'node_id': '<_id>'},
+        related_meta={'count': 'get_collection_count'},
+    )
+
     comments = RelationshipField(
         related_view='nodes:node-comments',
         related_view_kwargs={'node_id': '<_id>'},
@@ -620,6 +626,9 @@ def get_absolute_url(self, obj):
     def get_logs_count(self, obj):
         return obj.logs.count()
 
+    def get_collection_count(self, obj):
+        return CollectionSubmission.objects.filter(guid___id=obj._id).count()
+
     def get_node_count(self, obj):
         """
         Returns the count of a node's direct children that the user has permission to view.

api/nodes/urls.py

@@ -19,6 +19,7 @@
     re_path(r'^(?P<node_id>\w+)/citation/$', views.NodeCitationDetail.as_view(), name=views.NodeCitationDetail.view_name),
     re_path(r'^(?P<node_id>\w+)/citation/(?P<style_id>[-\w]+)/$', views.NodeCitationStyleDetail.as_view(), name=views.NodeCitationStyleDetail.view_name),
     re_path(r'^(?P<node_id>\w+)/comments/$', views.NodeCommentsList.as_view(), name=views.NodeCommentsList.view_name),
+    re_path(r'^(?P<node_id>\w+)/collections/$', views.NodeCollectionsList.as_view(), name=views.NodeCollectionsList.view_name),
     re_path(r'^(?P<node_id>\w+)/contributors_and_group_members/$', views.NodeContributorsAndGroupMembersList.as_view(), name=views.NodeContributorsAndGroupMembersList.view_name),
     re_path(r'^(?P<node_id>\w+)/implicit_contributors/$', views.NodeImplicitContributorsList.as_view(), name=views.NodeImplicitContributorsList.view_name),
     re_path(r'^(?P<node_id>\w+)/contributors/$', views.NodeContributorsList.as_view(), name=views.NodeContributorsList.view_name),

api/nodes/views.py

@@ -4,6 +4,8 @@
 
 import dataclasses
 import waffle
+
+from api.collections.serializers import CollectionSerializer
 from osf import features
 from packaging.version import Version
 from django.apps import apps
@@ -96,6 +98,7 @@
     ExcludeWithdrawals,
     NodeLinksShowIfVersion,
     ReadOnlyIfWithdrawn,
+    ReadOnlyIfPublicOrContributor,
 )
 from api.nodes.serializers import (
     NodeSerializer,
@@ -158,7 +161,7 @@
     File,
     Folder,
     CedarMetadataRecord,
-    Preprint,
+    Preprint, Collection,
 )
 from addons.osfstorage.models import Region
 from osf.utils.permissions import ADMIN, WRITE_NODE
@@ -1674,6 +1677,27 @@ def perform_create(self, serializer):
         serializer.save()
 
 
+class NodeCollectionsList(JSONAPIBaseView, generics.ListAPIView, ListFilterMixin, NodeMixin):
+    permission_classes = (
+        drf_permissions.IsAuthenticatedOrReadOnly,
+        base_permissions.TokenHasScope,
+        ReadOnlyIfPublicOrContributor,
+    )
+
+    required_read_scopes = [CoreScopes.NODE_COLLECTIONS_READ]
+    required_write_scopes = [CoreScopes.NODE_COLLECTIONS_WRITE]
+
+    serializer_class = CollectionSerializer
+    view_category = 'nodes'
+    view_name = 'node-collections'
+
+    def get_default_queryset(self):
+        return Collection.objects.filter(guid_links___id=self.get_node()._id)
+
+    def get_queryset(self):
+        return self.get_queryset_from_request()
+
+
 class NodeInstitutionsList(JSONAPIBaseView, generics.ListAPIView, ListFilterMixin, NodeMixin):
     """The documentation for this endpoint can be found [here](https://developer.osf.io/#operation/nodes_institutions_list).
     """

api_tests/base/test_serializers.py

@@ -196,7 +196,17 @@ def test_registration_serializer(self):
             'cedar_metadata_records',
         ]
         # fields that do not appear on registrations
-        non_registration_fields = ['registrations', 'draft_registrations', 'templated_by_count', 'settings', 'storage', 'children', 'groups', 'subjects_acceptable']
+        non_registration_fields = [
+            'registrations',
+            'draft_registrations',
+            'templated_by_count',
+            'settings',
+            'storage',
+            'children',
+            'groups',
+            'subjects_acceptable',
+            'collected_in'
+        ]
 
         for field in NodeSerializer._declared_fields:
             assert field in RegistrationSerializer._declared_fields

api_tests/nodes/serializers/test_serializers.py

@@ -158,6 +158,7 @@ def test_serialization(self):
             'groups',
             'original_response',
             'latest_response',
+            'collected_in',
         ]
 
         # Attributes

api_tests/nodes/views/test_node_collections_list.py

@@ -0,0 +1,107 @@
+import pytest
+
+from osf_tests.factories import (
+    ProjectFactory,
+    CollectionFactory,
+    AuthUserFactory
+)
+from api.base.settings.defaults import API_BASE
+
+
+@pytest.mark.django_db
+class TestNodeCollectionsList:
+    @pytest.fixture()
+    def user(self):
+        return AuthUserFactory()
+
+    @pytest.fixture()
+    def user_two(self):
+        return AuthUserFactory()
+
+    @pytest.fixture()
+    def public_project(self, user):
+        return ProjectFactory(is_public=True, creator=user)
+
+    @pytest.fixture()
+    def private_project(self, user):
+        return ProjectFactory(is_public=False, creator=user)
+
+    @pytest.fixture()
+    def collection(self, user):
+        return CollectionFactory(creator=user)
+
+    def test_public_node_collections_list_logged_out(self, app, public_project, collection):
+        collection.collect_object(public_project, collector=collection.creator)
+        res = app.get(f'/{API_BASE}nodes/{public_project._id}/collections/')
+        assert res.status_code == 200
+        assert len(res.json['data']) == 1
+        assert res.json['data'][0]['id'] == collection._id
+
+    def test_public_node_collections_list_logged_in(self, app, user_two, public_project, collection):
+        collection.collect_object(public_project, collector=collection.creator)
+        res = app.get(f'/{API_BASE}nodes/{public_project._id}/collections/', auth=user_two.auth)
+        assert res.status_code == 200
+        assert len(res.json['data']) == 1
+        assert res.json['data'][0]['id'] == collection._id
+
+    def test_private_node_collections_list_admin(self, app, user, private_project, collection):
+        collection.collect_object(private_project, collector=user)
+        res = app.get(f'/{API_BASE}nodes/{private_project._id}/collections/', auth=user.auth)
+        assert res.status_code == 200
+        assert len(res.json['data']) == 1
+        assert res.json['data'][0]['id'] == collection._id
+
+    def test_private_node_collections_list_non_contrib(self, app, user_two, private_project, collection):
+        collection.collect_object(private_project, collector=collection.creator)
+        res = app.get(
+            f'/{API_BASE}nodes/{private_project._id}/collections/',
+            auth=user_two.auth,
+            expect_errors=True
+        )
+        assert res.status_code == 403
+
+    def test_private_node_collections_list_logged_out(self, app, private_project, collection):
+        collection.collect_object(private_project, collector=collection.creator)
+        res = app.get(f'/{API_BASE}nodes/{private_project._id}/collections/', expect_errors=True)
+        assert res.status_code == 401
+
+    def test_multiple_collections_linked_to_node(self, app, public_project, user):
+        collection1 = CollectionFactory(creator=user)
+        collection2 = CollectionFactory(creator=user)
+        collection3 = CollectionFactory(creator=user)
+
+        collection1.collect_object(public_project, collector=user)
+        collection2.collect_object(public_project, collector=user)
+        collection3.collect_object(public_project, collector=user)
+
+        res = app.get(f'/{API_BASE}nodes/{public_project._id}/collections/')
+        assert res.status_code == 200
+        ids = [col['id'] for col in res.json['data']]
+        assert set(ids) == {collection1._id, collection2._id, collection3._id}
+
+    def test_remove_node_from_collection(self, app, public_project, user):
+        collection1 = CollectionFactory(creator=user)
+        collection2 = CollectionFactory(creator=user)
+
+        collection1.collect_object(public_project, collector=user)
+        collection2.collect_object(public_project, collector=user)
+
+        # Remove public_project from collection2
+        collection2.collectionsubmission_set.first().delete()
+
+        res = app.get(f'/{API_BASE}nodes/{public_project._id}/collections/')
+        assert res.status_code == 200
+        ids = [col['id'] for col in res.json['data']]
+        assert set(ids) == {collection1._id}
+
+    def test_unlinked_collections_not_included(self, app, public_project, user):
+        linked = CollectionFactory(creator=user)
+        unlinked = CollectionFactory(creator=user)
+
+        linked.collect_object(public_project, collector=user)
+
+        res = app.get(f'/{API_BASE}nodes/{public_project._id}/collections/')
+        assert res.status_code == 200
+        ids = [col['id'] for col in res.json['data']]
+        assert linked._id in ids
+        assert unlinked._id not in ids

api_tests/nodes/views/test_node_detail.py

@@ -334,6 +334,13 @@ def test_node_shows_wiki_relationship_based_on_disabled_status_and_version(self,
         res = app.get(url, auth=user.auth)
         assert 'wikis' in res.json['data']['relationships']
 
+    def test_node_shows_collected_in_relationship(self, app, user, project_public, url_public):
+        res = app.get(
+            url_public,
+            auth=user.auth
+        )
+        assert 'collected_in' in res.json['data']['relationships']
+
     def test_preprint_field(self, app, user, user_two, project_public, url_public):
         # Returns true if project holds supplemental material for a preprint a user can view
         # Published preprint, admin_contrib
@@ -617,6 +624,8 @@ def test_current_user_permissions(self, app, user, url_public, project_public, u
         assert res.json['data']['attributes']['current_user_is_contributor_or_group_member'] is False
         assert res.json['data']['attributes']['current_user_is_contributor'] is False
 
+        assert res.json['data']['relationships']['collected_in']
+
     def test_current_user_permissions_vol(self, app, user, url_public, project_public):
         '''
         User's including view only link query params should get ONLY read permissions even if they are admins etc.

api_tests/registrations/views/test_registration_detail.py

@@ -239,6 +239,10 @@ def test_registration_detail(
 
 class TestRegistrationUpdateTestCase:
 
+    @pytest.fixture()
+    def user(self):
+        return AuthUserFactory()
+
     @pytest.fixture()
     def read_only_contributor(self):
         return AuthUserFactory()

framework/auth/oauth_scopes.py

@@ -45,6 +45,9 @@ class CoreScopes:
 
     MEETINGS_READ = 'meetings.base_read'
 
+    NODE_COLLECTIONS_READ = 'node_collections_read'
+    NODE_COLLECTIONS_WRITE = 'node_collections_write'
+
     NODE_BASE_READ = 'nodes.base_read'
     NODE_BASE_WRITE = 'nodes.base_write'