fix(api): Ensure that organizations can't be created via the API

!44 fixes #155

app/access/tests/unit/organization/test_organizaiton_permission_api.py

@@ -5,7 +5,7 @@
 from django.contrib.auth.models import AnonymousUser, User
 from django.contrib.contenttypes.models import ContentType
 from django.shortcuts import reverse
-from django.test import TestCase
+from django.test import Client, TestCase
 
 from access.models import Organization, Team, TeamUsers, Permission
 
@@ -24,7 +24,7 @@ class OrganizationPermissionsAPI(TestCase, APIPermissionChange, APIPermissionVie
 
     url_name = '_api_organization'
 
-    url_list = 'device-list'
+    url_list = '_api_orgs'
 
     change_data = {'name': 'device'}
 
@@ -124,6 +124,8 @@ def setUpTestData(self):
         delete_team.permissions.set([delete_permissions])
 
 
+        self.super_user = User.objects.create_user(username="super_user", password="password", is_superuser=True)
+
         self.no_permissions_user = User.objects.create_user(username="test_no_permissions", password="password")
 
 
@@ -171,3 +173,67 @@ def setUpTestData(self):
             team = different_organization_team,
             user = self.different_organization_user
         )
+
+
+    def test_add_is_prohibited_anon_user(self):
+        """ Ensure Organization cant be created 
+
+        Attempt to create organization as anon user
+        """
+
+        client = Client()
+        url = reverse(self.app_namespace + ':' + self.url_list)
+
+
+        # client.force_login(self.add_user)
+        response = client.post(url, data={'name': 'should not create'}, content_type='application/json')
+
+        assert response.status_code == 401
+
+
+    def test_add_is_prohibited_diff_org_user(self):
+        """ Ensure Organization cant be created 
+
+        Attempt to create organization as user with different org permissions.
+        """
+
+        client = Client()
+        url = reverse(self.app_namespace + ':' + self.url_list)
+
+
+        client.force_login(self.different_organization_user)
+        response = client.post(url, data={'name': 'should not create'}, content_type='application/json')
+
+        assert response.status_code == 405
+
+
+    def test_add_is_prohibited_super_user(self):
+        """ Ensure Organization cant be created 
+
+        Attempt to create organization as user who is super user
+        """
+
+        client = Client()
+        url = reverse(self.app_namespace + ':' + self.url_list)
+
+
+        client.force_login(self.super_user)
+        response = client.post(url, data={'name': 'should not create'}, content_type='application/json')
+
+        assert response.status_code == 405
+
+
+    def test_add_is_prohibited_user_same_org(self):
+        """ Ensure Organization cant be created 
+
+        Attempt to create organization as user with permission
+        """
+
+        client = Client()
+        url = reverse(self.app_namespace + ':' + self.url_list)
+
+
+        client.force_login(self.add_user)
+        response = client.post(url, data={'name': 'should not create'}, content_type='application/json')
+
+        assert response.status_code == 405

app/api/views/access.py

@@ -1,18 +1,25 @@
 from django.contrib.auth.models import Permission
 
+from drf_spectacular.utils import extend_schema, extend_schema_view, OpenApiResponse
+
 from rest_framework import generics, routers, serializers, views
 from rest_framework.permissions import DjangoObjectPermissions
 from rest_framework.response import Response
 
 from access.mixin import OrganizationMixin
 from access.models import Organization, Team
 
-from api.serializers.access import OrganizationSerializer, OrganizationListSerializer, TeamSerializer
+from api.serializers.access import OrganizationSerializer, OrganizationListSerializer, TeamSerializer, TeamPermissionSerializer
 from api.views.mixin import OrganizationPermissionAPI
 
 
-
-class OrganizationList(generics.ListCreateAPIView):
+@extend_schema_view(
+    get=extend_schema(
+        summary = "Fetch Organizations",
+        description="Returns a list of organizations."
+    ),
+)
+class OrganizationList(generics.ListAPIView):
 
     permission_classes = [
         OrganizationPermissionAPI
@@ -28,7 +35,18 @@ def get_view_name(self):
 
 
 
-class OrganizationDetail(generics.RetrieveUpdateDestroyAPIView):
+@extend_schema_view(
+    get=extend_schema(
+        summary = "Get An Organization",
+    ),
+    patch=extend_schema(
+        summary = "Update an organization",
+    ),
+    put=extend_schema(
+        summary = "Update an organization",
+    ),
+)
+class OrganizationDetail(generics.RetrieveUpdateAPIView):
 
     permission_classes = [
         OrganizationPermissionAPI