[API] PUT and PATCH methods added to Candidates visit/instruments/flags

[spell00]

Brief summary of changes

The methods handlePUT and handlePATCH were added to the endpoint /candidates/<candid>/<visit>/instruments/<instrument>.

Testing instructions

Testing the PUT handle method

1. Go to https://<hostname>/api/v0.0.3/candidates/300002/V1/instruments/aosi/flags in a browser.

2. The fields Data_entry, Administration and Validity field should be NULL

3. In a terminal, login by sending the POST request below:
   ~$ curl https://<hostname>/api/v0.0.3/login -d '{"username": "<username>", "password": "<password>"}'

4. The expected response is: {"token": ""}. Store the token in a variable token='<a-really-long-string>'.

5. In the terminal, enter curl -X PUT -H "Authorization: Bearer $token" https://<hostname>/api/v0.0.3/candidates/300002/V1/instruments/aosi/flags -d '{"Flags": {"Data_entry": "In Progress", "Administration": "All", "Validity": "Valid"}}'

6. Go back to https://<hostname>/api/v0.0.3/candidates/300002/V1/instruments/aosi/flags in the same browser as in step 1. Data_entry should be "In Progress", Administration should be "all" and Validity should be "Valid".

7. In the terminal, enter curl -X PUT -H "Authorization: Bearer $token" https://<hostname>/api/v0.0.3/candidates/300002/V1/instruments/aosi -d '{"Flags": {"Data_entry": "In Progress", "Administration": null, "Validity": "Questionable"}}'

8. The field Administration should be changed to null and Validity should be "Questionable"

Testing the PATCH handle method

1. Go to https://<hostname>/api/v0.0.3/candidates/300002/V1/instruments/aosi/flags in a browser.

2. The fields Data_entry field should be NULL , Administration should be "Partial" and Validity should be "Questionable"

3. In the terminal, enter curl -X PATCH -H "Authorization: Bearer $token" https://<hostname>/api/v0.0.3/candidates/300002/V1/instruments/aosi/flags -d '{"Flags": {"Data_entry": null, "Administration": "All"}}'

4. Go back to https://<hostname>/api/v0.0.3/candidates/300002/V1/instruments/aosi/flags in the same browser as in step 1. The Data_entry value should now be updated without changing anything else. You should now see "Data_entry" is null ,Validity is still "Questionable" and see that Administration is All in the json string

Link(s) to related issue(s)

• Resolves [API] The endpoint /candidates/{candid}/{visit}/instruments/{instrument}/flags needs methods to handle PUT and PATCH requests #6777

[xlecours]

This is exactly how it should be done.
I still need to test it though.

Wait, this is for the flags but the code updates the instrument's data.

[spell00]

I corrected the mistakes in the testing instructions to actually test the PUT and PATCH requests for the flags endpoint instead of instrument , plus it is now actually working

[spell00]

Thanks @xlecours for your suggestion, using NDB_BVL_InstrumentStatus.class.inc makes much more sense! The PUT and PATCH functions work for me now with this branch using the testing instructions in the PR description.

[christinerogers]

@spell00 the ball is in your court on this one i believe.

[spell00]

@driusan This PR is approaved and is is ready for your review

[spell00]

@xlecours @driusan It is now passing Travis and ready for final review

[driusan]

See my comments on #7088.. I think the lines I commented on there were just in that PR because it builds on this one.

[driusan]

See comment on #7088

[spell00]

are you sure you didn't mean your comment on #7075 ? I applied the change here, as it builds on this one.

[spell00]

data_entry is already checked. The second point is resolved in the parent endpoint modules/api/php/endpoints/candidate/visit/instrument/instrument.class.inc (the part commented by Xavier below), so a user without permission can't reach this function.

[xlecours]

I don't think $user is a string.

[spell00]

_hasAccess does not take a string

Loris/php/libraries/NDB_BVL_Instrument.class.inc

Line 302 in c1bb1da

function _hasAccess(\User $user) : bool

[spell00]

nevermind I just got it, I'll remove the parameter $user from the message

[spell00]

done

[spell00]

See my comments on #7088.. I think the lines I commented on there were just in that PR because it builds on this one.

Maybe you mean #7075? it is the PR that builds on this one. I checked the User is permitted to update instruments in modules/api/php/endpoints/candidate/visit/instrument/instrument.class.inc line 97, where I use

if ($this->_instrument->_hasAccess($user)) { ...

[spell00]

@xlecours @driusan I did the corrections, this is ready for re-review

[driusan]

This looks like it's missing a check for the data_entry permission. From what I can tell determineDataEntryAllowed isn't sufficient, it just checks the 'Complete' flag in the backend, not the permissions.

[driusan]

lgtm.. @xlecours does it still look good to you?