From 1bb56c25fe6772b432e223e5a66ca4fd003a4f54 Mon Sep 17 00:00:00 2001
From: Alexander-D-Karpov <alexandr.d.karpov@gmail.com>
Date: Fri, 10 Jun 2022 01:12:45 +0300
Subject: [PATCH] added check for hero identity, fixed deck update

---
 game/api/v1/serializers.py | 28 +++++++++++++++++++---------
 game/api/v1/views.py       | 36 ++++++++++++++++++++----------------
 2 files changed, 39 insertions(+), 25 deletions(-)

diff --git a/game/api/v1/serializers.py b/game/api/v1/serializers.py
index 3305596..acff60f 100644
--- a/game/api/v1/serializers.py
+++ b/game/api/v1/serializers.py
@@ -1,5 +1,3 @@
-from abc import ABC
-
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
@@ -66,17 +64,24 @@ class CreateDeckSerializer(serializers.ModelSerializer):
         fields = ("hero_ids",)
 
     def validate_hero_ids(self, value):
-        if self.context["request"].method == "POST":
-            for x in value:
-                if not (hero := Hero.objects.filter(uuid=x)):
-                    raise ValidationError(f"Hero with uuid {x} doesn't exist")
+        if len(set(value)) != 16:
+            raise ValidationError("Some of the uuids are not unique")
 
+        for x in value:
+            if not (hero := Hero.objects.filter(uuid=x)):
+                raise ValidationError(f"Hero with uuid {x} doesn't exist")
+
+            if hero.first().player.id != self.context["request"].user.id:
+                raise ValidationError(
+                    f"Attempt to manipulate player with id {hero.first().player.id} hero"
+                )
+
+            if self.context["request"].method in ["POST"]:
                 if deck := HeroInDeck.objects.filter(hero=hero.first()):
                     raise ValidationError(
                         f"Hero with uuid {x} is already in deck with id {deck.first().deck.id}"
                     )
-        elif self.context["request"].method in ["PUT", "PATCH"]:
-            print(value)
+
         return value
 
     def create(self, validated_data):
@@ -86,7 +91,12 @@ class CreateDeckSerializer(serializers.ModelSerializer):
         return deck
 
     def update(self, instance, validated_data):
-        print(instance, validated_data)
+        for x in instance.get_heroes():
+            HeroInDeck.objects.get(hero=x).delete()
+
+        for x in validated_data["hero_ids"]:
+            HeroInDeck.objects.create(hero_id=x, deck=instance)
+
         return instance
 
 
diff --git a/game/api/v1/views.py b/game/api/v1/views.py
index bcfcf67..ee3b564 100644
--- a/game/api/v1/views.py
+++ b/game/api/v1/views.py
@@ -119,31 +119,35 @@ class RetireUpdateDeleteDeckView(
     def get(self, request, *args, **kwargs):
         return self.retrieve(request, *args, **kwargs)
 
-    def put(self, request, *args, **kwargs):
-        if not self._check_user_identity(request.user.id, kwargs["id"]):
-            return Response(
-                "Attempt to change another user's deck",
-                status=status.HTTP_403_FORBIDDEN,
-            )
-        return self.update(request, *args, **kwargs)
+    def perform_update(self, serializer):
+        return serializer.update(self.get_object(), self.request.data)
 
-    def patch(self, request, *args, **kwargs):
-        if not self._check_user_identity(request.user.id, kwargs["id"]):
+    def put(self, request, *args, **kwargs):
+        if not self._check_user_identity(kwargs["id"]):
             return Response(
                 "Attempt to change another user's deck",
                 status=status.HTTP_403_FORBIDDEN,
             )
-        return self.partial_update(request, *args, **kwargs)
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        instance = self.perform_update(serializer)
+        heroes_list = ListHeroSerializer(instance.get_heroes(), many=True)
+        return Response(heroes_list.data, status=status.HTTP_200_OK)
 
     def delete(self, request, *args, **kwargs):
-        if not self._check_user_identity(request.user.id, kwargs["id"]):
+        if not self._check_user_identity(kwargs["id"]):
             return Response(
                 "Attempt to delete another user's deck",
                 status=status.HTTP_403_FORBIDDEN,
             )
-        return self.destroy(request, *args, **kwargs)
-
-    def _check_user_identity(self, user_id, deck_id) -> bool:
-        return deck_id in list(
-            Deck.objects.filter(player_id=user_id).values_list("id", flat=True)
+        self.destroy(request, *args, **kwargs)
+        return Response(
+            f"Destroyed deck with id {kwargs['id']}", status=status.HTTP_200_OK
+        )
+
+    def _check_user_identity(self, deck_id) -> bool:
+        return deck_id in list(
+            Deck.objects.filter(player_id=self.request.user.id).values_list(
+                "id", flat=True
+            )
         )