From 906078a1662c945c951be8f7336e2df1365b67cd Mon Sep 17 00:00:00 2001
From: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
Date: Mon, 3 Nov 2014 01:37:07 -0400
Subject: [PATCH] Don't allow the client to specify user id in the POST
 request, take it from the request.user

---
 mayan/apps/folders/api_views.py   | 19 +++++++++++++++++--
 mayan/apps/folders/serializers.py |  1 +
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/mayan/apps/folders/api_views.py b/mayan/apps/folders/api_views.py
index 5266bfa8fd..58b5a02c6b 100644
--- a/mayan/apps/folders/api_views.py
+++ b/mayan/apps/folders/api_views.py
@@ -39,6 +39,21 @@ class APIFolderListView(generics.ListCreateAPIView):
         """Create a new folder."""
         return super(APIFolderListView, self).post(*args, **kwargs)
 
+    def create(self, request, *args, **kwargs):
+        data = request.DATA
+        serializer = self.get_serializer(data=request.DATA, files=request.FILES)
+
+        if serializer.is_valid():
+            serializer.object.user = request.user
+            self.pre_save(serializer.object)
+            self.object = serializer.save(force_insert=True)
+            self.post_save(self.object, created=True)
+            headers = self.get_success_headers(serializer.data)
+            return Response(serializer.data, status=status.HTTP_201_CREATED,
+                            headers=headers)
+
+        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
 
 class APIFolderView(generics.RetrieveUpdateDestroyAPIView):
     serializer_class = FolderSerializer
@@ -86,8 +101,7 @@ class APIFolderDocumentListView(generics.ListAPIView):
         except PermissionDenied:
             AccessEntry.objects.check_access(PERMISSION_FOLDER_VIEW, self.request.user, folder)
 
-        queryset = folder.documents.all()
-        return queryset
+        return folder.documents.all()
 
 
 class APIDocumentFolderListView(generics.ListAPIView):
@@ -123,6 +137,7 @@ class APIFolderDocumentView(views.APIView):
         folder.documents.remove(document)
         return Response(status=status.HTTP_204_NO_CONTENT)
 
+    # TODO: move this method as post of APIFolderDocumentListView
     def post(self, request, *args, **kwargs):
         """Add a document to the selected folder."""
 
diff --git a/mayan/apps/folders/serializers.py b/mayan/apps/folders/serializers.py
index d42fe18358..415058f597 100644
--- a/mayan/apps/folders/serializers.py
+++ b/mayan/apps/folders/serializers.py
@@ -11,3 +11,4 @@ class FolderSerializer(serializers.ModelSerializer):
     class Meta:
         fields = ('id', 'title', 'user', 'datetime_created', 'documents')
         model = Folder
+        read_only_fields = ('user',)