bisco/azionelab
1
0
Fork 0
generated from bisco/codex-bootstrap
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(api): add basic booking throttling

Browse Source
This commit is contained in:
bisco
2026-04-29 22:57:09 +02:00
parent a8f2a7c803
commit 0533a1799f
5 changed files with 111 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
backend/checkins/test_api.py
View File

@@ -1,13 +1,16 @@
from datetime import timedelta
from unittest.mock import patch
from django.contrib.auth import get_user_model
from django.urls import reverse
from django.test.utils import override_settings
from django.utils import timezone
from rest_framework import status
from rest_framework.test import APITestCase
from bookings.models import Reservation, ReservationToken
from checkins.models import CheckIn
from checkins.views import CheckInPreviewThrottle
from shows.models import Performance, Show, Venue
@@ -105,6 +108,28 @@ class CheckInApiTests(APITestCase):
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
self.assertEqual(response.data["status"], "invalid_token")
def test_preview_is_throttled_for_staff_user(self):
with patch.dict(CheckInPreviewThrottle.THROTTLE_RATES, {"check_in_preview": "1/minute"}, clear=False):
first_reservation = self.create_reservation(email="first@example.com")
_, first_raw_token = self.create_check_in_token(first_reservation)
second_reservation = self.create_reservation(email="second@example.com")
_, second_raw_token = self.create_check_in_token(second_reservation)
self.client.force_authenticate(user=self.staff_user)
first_response = self.client.post(
reverse("api-check-in-preview"),
{"token": first_raw_token},
format="json",
)
second_response = self.client.post(
reverse("api-check-in-preview"),
{"token": second_raw_token},
format="json",
)
self.assertEqual(first_response.status_code, status.HTTP_200_OK)
self.assertEqual(second_response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
def test_check_in_success_as_staff_user(self):
reservation = self.create_reservation()
_, raw_token = self.create_check_in_token(reservation)

29
backend/checkins/views.py
View File

@@ -1,8 +1,9 @@
from rest_framework import status
from rest_framework.authentication import BasicAuthentication, SessionAuthentication
from rest_framework.decorators import api_view, authentication_classes, permission_classes
from rest_framework.decorators import api_view, authentication_classes, permission_classes, throttle_classes
from rest_framework.permissions import BasePermission, IsAuthenticated
from rest_framework.response import Response
from rest_framework.throttling import UserRateThrottle
from .serializers import (
CheckInConfirmResponseSerializer,
@@ -19,19 +20,22 @@ from .services import (
)
class CheckInPreviewThrottle(UserRateThrottle):
scope = "check_in_preview"
class CheckInConfirmThrottle(UserRateThrottle):
scope = "check_in_confirm"
class IsStaffUser(BasePermission):
def has_permission(self, request, view):
return bool(request.user and request.user.is_staff)
def staff_check_in_view(view_func):
view_func = permission_classes([IsAuthenticated, IsStaffUser])(view_func)
view_func = authentication_classes([BasicAuthentication, SessionAuthentication])(view_func)
view_func = api_view(["POST"])(view_func)
return view_func
@staff_check_in_view
@api_view(["POST"])
@authentication_classes([BasicAuthentication, SessionAuthentication])
@permission_classes([IsAuthenticated, IsStaffUser])
@throttle_classes([CheckInPreviewThrottle])
def check_in_preview(request):
serializer = CheckInTokenSerializer(data=request.data)
serializer.is_valid(raise_exception=True)
@@ -73,7 +77,10 @@ def check_in_preview(request):
return Response(response_serializer.data)
@staff_check_in_view
@api_view(["POST"])
@authentication_classes([BasicAuthentication, SessionAuthentication])
@permission_classes([IsAuthenticated, IsStaffUser])
@throttle_classes([CheckInConfirmThrottle])
def check_in_confirm(request):
serializer = CheckInTokenSerializer(data=request.data)
serializer.is_valid(raise_exception=True)