[ENG-7750] Preprint creator cannot remove bibliographic citation status (#11087)

## Purpose
fix preprint creator cannot remove bibliographic citation status

## Changes
- move restriction logic to serializer field validator to validate only permission field during any updates: PATCH, PUT
- add more tests

## Ticket
https://openscience.atlassian.net/browse/ENG-7750

Author: antkryt

api/preprints/serializers.py

@@ -49,6 +49,7 @@
     NodeLicense,
 )
 from osf.utils import permissions as osf_permissions
+from osf.utils.workflows import DefaultStates
 
 
 class PrimaryFileRelationshipField(RelationshipField):
@@ -625,6 +626,20 @@ class PreprintContributorDetailSerializer(NodeContributorDetailSerializer, Prepr
     id = IDField(required=True, source='_id')
     index = ser.IntegerField(required=False, read_only=False, source='_order')
 
+    def validate_permission(self, value):
+        preprint = self.context.get('resource')
+        user = self.context.get('user')
+        if (
+            user  # if user is None then probably we're trying to make bulk update and this validation is not relevant
+            and preprint.machine_state == DefaultStates.INITIAL.value
+            and preprint.creator_id == user.id
+        ):
+            raise ValidationError(
+                'You cannot change your permission setting at this time. '
+                'Have another admin contributor edit your permission after you’ve submitted your preprint',
+            )
+        return value
+
 
 class PreprintStorageProviderSerializer(NodeStorageProviderSerializer):
     node = HideIfPreprint(ser.CharField(source='node_id', read_only=True))

api/preprints/views.py

@@ -77,10 +77,10 @@ class PreprintOldVersionsImmutableMixin:
 
     @staticmethod
     def is_edit_allowed(preprint):
-        if preprint.is_latest_version or preprint.machine_state == 'initial':
+        if preprint.is_latest_version or preprint.machine_state == DefaultStates.INITIAL.value:
             return True
         if preprint.provider.reviews_workflow == Workflows.PRE_MODERATION.value:
-            if preprint.machine_state == 'pending' or preprint.machine_state == 'rejected':
+            if preprint.machine_state == DefaultStates.PENDING.value or preprint.machine_state == DefaultStates.REJECTED.value:
                 return True
         return False
 
@@ -535,19 +535,10 @@ def get_object(self):
     def get_serializer_context(self):
         context = JSONAPIBaseView.get_serializer_context(self)
         context['resource'] = self.get_preprint()
+        context['user'] = self.get_user()
         context['default_email'] = 'preprint'
         return context
 
-    def patch(self, *args, **kwargs):
-        preprint = self.get_resource()
-        user = self.get_user()
-        if preprint.machine_state == DefaultStates.INITIAL.value and preprint.creator_id == user.id:
-            raise ValidationError(
-                'You cannot change your permission setting at this time. '
-                'Have another admin contributor edit your permission after you’ve submitted your preprint',
-            )
-        return super().patch(*args, **kwargs)
-
     def perform_destroy(self, instance):
         preprint = self.get_resource()
         auth = get_user_auth(self.request)

api_tests/preprints/views/test_preprint_contributors_detail.py

@@ -1022,6 +1022,33 @@ def test_patch_permission_only(self, app, user, preprint):
         assert preprint.get_permissions(user_read_contrib) == [permissions.READ]
         assert not preprint.get_visible(user_read_contrib)
 
+    def test_patch_admin_self_initial_preprint(self, app, user, preprint):
+        new_version = PreprintFactory.create_version(
+            create_from=preprint,
+            creator=user,
+            final_machine_state='initial',
+            is_published=False,
+            set_doi=False
+        )
+
+        contrib_id = f'{new_version._id}-{user._id}'
+        data = {
+            'data': {
+                'id': contrib_id,
+                'type': 'contributors',
+                'attributes': {
+                    'permission': permissions.WRITE,
+                    'bibliographic': True
+                }
+            }
+        }
+        url = f'/{API_BASE}preprints/{new_version._id}/contributors/{user._id}/'
+        res = app.patch_json_api(url, data, auth=user.auth, expect_errors=True)
+        assert res.status_code == 400
+
+        new_version.reload()
+        assert permissions.ADMIN in new_version.get_permissions(user)
+
 
 @pytest.mark.django_db
 class TestPreprintContributorDelete:
@@ -1190,6 +1217,28 @@ def test_remove_self_contributor_not_unique_admin(
             preprint.reload()
             assert user not in preprint.contributors
 
+    def test_remove_self_creator_not_unique_admin_initial_preprint(
+            self, app, user, user_write_contrib, preprint):
+        new_version = PreprintFactory.create_version(
+            create_from=preprint,
+            creator=user,
+            final_machine_state='initial',
+            is_published=False,
+            set_doi=False
+        )
+
+        new_version.add_permission(
+            user_write_contrib,
+            permissions.ADMIN,
+            save=True
+        )
+        assert len(new_version.contributors) == 2
+        assert new_version.creator_id == user.id
+
+        url = f'/{API_BASE}preprints/{new_version._id}/contributors/{user._id}/'
+        res = app.delete(url, auth=user.auth, expect_errors=True)
+        assert res.status_code == 400
+
     # @assert_logs(PreprintLog.CONTRIB_REMOVED, 'preprint')
     def test_can_remove_self_as_contributor_not_unique_admin(
             self, app, user_write_contrib, preprint, url_user_write_contrib):

osf_tests/test_draft_registration.py

@@ -571,6 +571,33 @@ def test_update_contributor(self, draft_registration, auth):
         assert draft_registration.get_permissions(new_contrib) == [READ]
         assert draft_registration.get_visible(new_contrib) is False
 
+    def test_remove_admin_permission(self, draft_registration, auth):
+        admin_user = auth.user
+        assert len(draft_registration.contributors) == 1
+        assert draft_registration.has_permission(admin_user, ADMIN) is True
+
+        with pytest.raises(DraftRegistrationStateError) as exc_info:
+            draft_registration.update_contributor(
+                admin_user,
+                WRITE,
+                draft_registration.get_visible(admin_user),
+                auth=auth
+            )
+        assert str(exc_info.value) == f"{admin_user.fullname} is the only admin."
+
+        # user should be able to remove their own admin permission if there're 2+ admin contributors
+        new_contrib = factories.AuthUserFactory()
+        draft_registration.add_contributor(new_contrib, permissions=ADMIN, auth=auth)
+        assert draft_registration.has_permission(new_contrib, ADMIN) is True
+
+        draft_registration.update_contributor(
+            admin_user,
+            WRITE,
+            draft_registration.get_visible(admin_user),
+            auth=auth,
+        )
+        assert draft_registration.has_permission(admin_user, ADMIN) is False
+
     def test_update_contributor_non_admin_raises_error(self, draft_registration, auth):
         non_admin = factories.AuthUserFactory()
         draft_registration.add_contributor(

tests/test_preprints.py

@@ -2739,69 +2739,3 @@ def test_ember_redirect_to_versioned_guid(self):
         location_with_no_guid = res.location.replace(guid_with_version, '')
         # check if location has not wrong format https://osf.io/preprints/socarxiv/3rhyz/3rhyz_v1
         assert location_with_no_guid == location_with_no_guid.replace(guid_with_no_version, '')
-
-@pytest.mark.django_db
-class TestPreprintCreatorStateChangings:
-
-    @pytest.fixture()
-    def creator(self):
-        return AuthUserFactory()
-
-    @pytest.fixture()
-    def unpublished_preprint_pre_mod(self):
-        return PreprintFactory(reviews_workflow='pre-moderation', is_published=False)
-
-    def test_preprint_initial_creator_removal(self, creator, unpublished_preprint_pre_mod):
-        new_version = PreprintFactory.create_version(
-            create_from=unpublished_preprint_pre_mod,
-            creator=creator,
-            final_machine_state='initial',
-            is_published=False,
-            set_doi=False
-        )
-        request = RequestFactory().delete('/fake_path')
-        request.user = creator
-        request.query_params = {}
-        request.parser_context = {
-            'kwargs': {
-                'preprint_id': new_version._id,
-                'user_id': creator._id
-            },
-        }
-        view = PreprintContributorDetail()
-        view = setup_view(view, request, preprint_id=new_version._id, user_id=creator._id)
-        try:
-            view.perform_destroy(request)
-        except Exception as error:
-            assert error.args[0] == ('You cannot delete yourself at this time. '
-                                     'Have another admin contributor do that after you’ve submitted your preprint')
-        else:
-            assert False
-
-    def test_preprint_initial_creator_update(self, creator, unpublished_preprint_pre_mod):
-        new_version = PreprintFactory.create_version(
-            create_from=unpublished_preprint_pre_mod,
-            creator=creator,
-            final_machine_state='initial',
-            is_published=False,
-            set_doi=False
-        )
-        request = RequestFactory().patch('/fake_path')
-        request.user = creator
-        request.query_params = {}
-        request.parser_context = {
-            'kwargs': {
-                'preprint_id': new_version._id,
-                'user_id': creator._id
-            },
-        }
-        view = PreprintContributorDetail()
-        view = setup_view(view, request, preprint_id=new_version._id, user_id=creator._id)
-        try:
-            view.patch(request)
-        except Exception as error:
-            assert error.args[0] == ('You cannot change your permission setting at this time. '
-                                     'Have another admin contributor edit your permission '
-                                     'after you’ve submitted your preprint')
-        else:
-            assert False