pennlabs · minghansun1 · Mar 2, 2025 · Mar 3, 2025 · vcai122 · Mar 4, 2025
diff --git a/backend/Pipfile.lock b/backend/Pipfile.lock
diff --git a/backend/market/permissions.py b/backend/market/permissions.py
@@ -62,4 +62,7 @@ def has_permission(self, request, view):
         return request.user.is_authenticated
 
     def has_object_permission(self, request, view, obj):
-        return request.method in permissions.SAFE_METHODS or obj.user == request.user
+        if request.method in permissions.SAFE_METHODS:  # GET
+            return obj.item.seller == request.user
+
+        return obj.user == request.user
diff --git a/backend/market/serializers.py b/backend/market/serializers.py
@@ -138,6 +138,7 @@ def get_favorite_count(self, obj):
 
 # Read-only serializer for use when pulling all items/etc
 class ItemSerializerList(serializers.ModelSerializer):
+    favorite_count = serializers.SerializerMethodField()
     images = ItemImageURLSerializer(many=True)
 
     class Meta:
@@ -149,13 +150,15 @@ class Meta:
             "category",
             "title",
             "price",
-            "negotiable",
             "expires_at",
             "images",
-            "favorites",
+            "favorite_count",
         ]
         read_only_fields = fields
 
+    def get_favorite_count(self, obj):
+        return obj.favorites.count()
+
 
 class SubletSerializer(serializers.ModelSerializer):
     item = ItemSerializer(required=True)

diff --git a/backend/market/urls.py b/backend/market/urls.py
@@ -8,10 +8,11 @@
     Favorites,
     Items,
     Offers,
+    OffersMade,
+    OffersReceived,
     Sublets,
     Tags,
     UserFavorites,
-    UserOffers,
 )
 
 
@@ -29,7 +30,9 @@
     # All favorites for user
     path("favorites/", UserFavorites.as_view(), name="user-favorites"),
     # All offers made by user
-    path("offers/", UserOffers.as_view(), name="user-offers"),
+    path("offers/made/", OffersMade.as_view(), name="offers-made"),
+    # All offers for an item owned by user
+    path("offers/received/", OffersReceived.as_view(), name="offers-received"),
     # Favorites
     # post: add an item to the user's favorites
     # delete: remove an item from the user's favorites

diff --git a/backend/market/views.py b/backend/market/views.py
@@ -55,15 +55,24 @@ def get_queryset(self):
 
 
 # TODO: Can add feature to filter for active offers only
-class UserOffers(generics.ListAPIView):
+class OffersMade(generics.ListAPIView):
     serializer_class = OfferSerializer
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticated | IsSuperUser]
 
     def get_queryset(self):
         user = self.request.user
         return Offer.objects.filter(user=user)
 
 
+class OffersReceived(generics.ListAPIView):
+    serializer_class = OfferSerializer
+    permission_classes = [IsAuthenticated | IsSuperUser]
+
+    def get_queryset(self):
+        user = self.request.user
+        return Offer.objects.filter(item__seller=user)
+
+
 class Items(viewsets.ModelViewSet):
     """
     list:
@@ -299,5 +308,6 @@ def destroy(self, request, *args, **kwargs):
     def list(self, request, *args, **kwargs):
         if not Item.objects.filter(pk=int(self.kwargs["item_id"])).exists():
             raise exceptions.NotFound("No Item matches the given query")
-        self.check_object_permissions(request, Item.objects.get(pk=int(self.kwargs["item_id"])))
+        for offer in self.get_queryset():
+            self.check_object_permissions(request, offer)
         return super().list(request, *args, **kwargs)
diff --git a/backend/tests/market/test_market.py b/backend/tests/market/test_market.py
@@ -151,6 +151,10 @@ def setUp(self):
             user=user1, item=Item.objects.get(id=5), email="[email protected]"
         )
         created_offer_3.save()
+        created_offer_4 = Offer.objects.create(
+            user=self.user, item=Item.objects.get(id=4), email="[email protected]"
+        )
+        created_offer_4.save()
 
         storage_mock = MagicMock(spec=Storage, name="StorageMock")
         storage_mock.generate_filename = lambda filename: filename
@@ -169,10 +173,9 @@ def test_get_items(self):
                 "category": "Book",
                 "title": "Math Textbook",
                 "price": 20.0,
-                "negotiable": True,
                 "expires_at": "2025-12-12T00:00:00-05:00",
                 "images": [],
-                "favorites": [1],
+                "favorite_count": 1,
             },
             {
                 "id": 2,
@@ -181,10 +184,9 @@ def test_get_items(self):
                 "category": "Food",
                 "title": "Bag of Doritos",
                 "price": 5.0,
-                "negotiable": False,
                 "expires_at": "2025-10-12T01:00:00-04:00",
                 "images": [],
-                "favorites": [1],
+                "favorite_count": 1,
             },
             {
                 "id": 3,
@@ -193,10 +195,9 @@ def test_get_items(self):
                 "category": "Electronics",
                 "title": "Macbook Pro",
                 "price": 2000.0,
-                "negotiable": True,
                 "expires_at": "2025-08-12T01:00:00-04:00",
                 "images": [],
-                "favorites": [1],
+                "favorite_count": 1,
             },
             {
                 "id": 4,
@@ -205,10 +206,9 @@ def test_get_items(self):
                 "category": "Furniture",
                 "title": "Couch",
                 "price": 400.0,
-                "negotiable": True,
                 "expires_at": "2025-12-12T00:00:00-05:00",
                 "images": [],
-                "favorites": [],
+                "favorite_count": 0,
             },
         ]
         self.assertEqual(response.status_code, 200)
@@ -217,6 +217,24 @@ def test_get_items(self):
             sorted(expected_response, key=lambda d: d["id"]),
         )
 
+    def test_get_item_seller(self):
+        response = self.client.get("/market/items/?seller=true")
+        expected_response = [
+            {
+                "id": 1,
+                "seller": 1,
+                "tags": ["Textbook", "Used"],
+                "category": "Book",
+                "title": "Math Textbook",
+                "price": 20.0,
+                "expires_at": "2025-12-12T00:00:00-05:00",
+                "images": [],
+                "favorite_count": 1,
+            }
+        ]
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json(), expected_response)
+
     def test_get_single_item_own(self):
         response = self.client.get("/market/items/1/")
         response_without_created_at = response.json().copy()
@@ -367,6 +385,20 @@ def test_create_item_exclude_unrequired(self):
             datetime.timedelta(minutes=10),
         )
 
+    def test_create_item_missing_filed(self):
+        payload = {
+            "tags": ["New"],
+            "category": "Book",
+            "external_link": "https://example.com/listing",
+            "price": 20.0,
+            "negotiable": True,
+            "expires_at": "2024-12-12T00:00:00-05:00",
+        }
+        response = self.client.post("/market/items/", payload)
+        res_json = json.loads(response.content)
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(res_json, {"title": ["This field is required."]})
+
     def test_create_item_invalid_category(self):
         payload = {
             "tags": ["New"],
@@ -622,10 +654,9 @@ def test_get_sublets(self):
                     "category": "Sublet",
                     "title": "Cira Green Sublet",
                     "price": 1350.0,
-                    "negotiable": False,
                     "expires_at": "2025-12-12T00:00:00-05:00",
                     "images": [],
-                    "favorites": [],
+                    "favorite_count": 0,
                 },
                 "address": "Cira Green, Philadelphia, PA",
                 "beds": 3.0,
@@ -642,10 +673,9 @@ def test_get_sublets(self):
                     "category": "Sublet",
                     "title": "Rodin Quad",
                     "price": 1350.0,
-                    "negotiable": False,
                     "expires_at": "2025-12-12T00:00:00-05:00",
                     "images": [],
-                    "favorites": [1],
+                    "favorite_count": 1,
                 },
                 "address": "3901 Locust Walk, Philadelphia, PA",
                 "beds": 4.0,
@@ -654,7 +684,10 @@ def test_get_sublets(self):
                 "end_date": "2025-05-31T00:00:00-04:00",
             },
         ]
-        self.assertEqual(response.json(), expected_response)
+        self.assertEqual(
+            sorted(response.json(), key=lambda d: d["id"]),
+            sorted(expected_response, key=lambda d: d["id"]),
+        )
 
     def test_get_sublet_own(self):
         response = self.client.get("/market/sublets/1/")
@@ -1134,10 +1167,9 @@ def test_get_all_user_favorites(self):
                 "category": "Book",
                 "title": "Math Textbook",
                 "price": 20.0,
-                "negotiable": True,
                 "expires_at": "2025-12-12T00:00:00-05:00",
                 "images": [],
-                "favorites": [1],
+                "favorite_count": 1,
             },
             {
                 "id": 2,
@@ -1146,10 +1178,9 @@ def test_get_all_user_favorites(self):
                 "category": "Food",
                 "title": "Bag of Doritos",
                 "price": 5.0,
-                "negotiable": False,
                 "expires_at": "2025-10-12T01:00:00-04:00",
                 "images": [],
-                "favorites": [1],
+                "favorite_count": 1,
             },
             {
                 "id": 3,
@@ -1158,10 +1189,9 @@ def test_get_all_user_favorites(self):
                 "category": "Electronics",
                 "title": "Macbook Pro",
                 "price": 2000.0,
-                "negotiable": True,
                 "expires_at": "2025-08-12T01:00:00-04:00",
                 "images": [],
-                "favorites": [1],
+                "favorite_count": 1,
             },
             {
                 "id": 6,
@@ -1170,17 +1200,16 @@ def test_get_all_user_favorites(self):
                 "category": "Sublet",
                 "title": "Rodin Quad",
                 "price": 1350.0,
-                "negotiable": False,
                 "expires_at": "2025-12-12T00:00:00-05:00",
                 "images": [],
-                "favorites": [1],
+                "favorite_count": 1,
             },
         ]
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json(), expected_response)
 
     def test_get_all_user_offers(self):
-        response = self.client.get("/market/offers/")
+        response = self.client.get("/market/offers/made/")
         response_without_created_at = [offer.copy() for offer in response.json()]
         created_at_list = [
             datetime.datetime.fromisoformat(offer.pop("created_at"))
@@ -1204,6 +1233,56 @@ def test_get_all_user_offers(self):
                 "user": 1,
                 "item": 5,
             },
+            {
+                "id": 4,
+                "phone_number": None,
+                "email": "[email protected]",
+                "message": "",
+                "user": 1,
+                "item": 4,
+            },
+        ]
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response_without_created_at, expected_response)
+        for created_at in created_at_list:
+            self.assertLessEqual(
+                abs(created_at - datetime.datetime.now(pytz.timezone("UTC"))),
+                datetime.timedelta(minutes=1),
+            )
+
+    def test_get_all_user_offers_received(self):
+        response = self.client.get("/market/offers/received/")
+        response_without_created_at = [offer.copy() for offer in response.json()]
+        created_at_list = [
+            datetime.datetime.fromisoformat(offer.pop("created_at"))
+            for offer in response_without_created_at
+        ]
+
+        expected_response = [
+            {
+                "id": 1,
+                "phone_number": None,
+                "email": "[email protected]",
+                "message": "",
+                "user": 1,
+                "item": 1,
+            },
+            {
+                "id": 2,
+                "phone_number": None,
+                "email": "[email protected]",
+                "message": "",
+                "user": 1,
+                "item": 5,
+            },
+            {
+                "id": 3,
+                "phone_number": None,
+                "email": "[email protected]",
+                "message": "",
+                "user": 2,
+                "item": 5,
+            },
         ]
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response_without_created_at, expected_response)
@@ -1274,6 +1353,13 @@ def test_list_item_offers(self):
                 datetime.timedelta(minutes=1),
             )
 
+    def test_list_item_offers_other(self):
+        response = self.client.get("/market/items/4/offers/")
+        self.assertEqual(response.status_code, 403)
+        self.assertEqual(
+            response.json(), {"detail": "You do not have permission to perform this action."}
+        )
+
     def test_list_item_offers_invalid_item(self):
         response = self.client.get("/market/items/100/offers/")
         self.assertEqual(response.status_code, 404)
@@ -1296,7 +1382,7 @@ def test_create_offer(self):
         created_at = response_without_created_at.pop("created_at")
         created_at = datetime.datetime.fromisoformat(created_at)
         expected_response = {
-            "id": 4,
+            "id": 5,
             "phone_number": "+14252694412",
             "email": "[email protected]",
             "message": "I am interested in buying this item.",
@@ -1316,7 +1402,7 @@ def test_delete_offer(self):
         self.assertFalse(Offer.objects.filter(id=1).exists())
 
     def test_delete_offer_nonexistent(self):
-        response = self.client.delete("/market/items/4/offers/")
+        response = self.client.delete("/market/items/6/offers/")
         self.assertEqual(response.status_code, 404)
 
     def test_create_image(self):
@@ -1327,6 +1413,14 @@ def test_create_image(self):
             self.assertTrue(images.exists())
             self.assertEqual(1, images.first().item.id)
 
+    def test_create_image_other_users_item(self):
+        with open("tests/market/mock_image.jpg", "rb") as image:
+            response = self.client.post("/market/items/2/images/", {"images": image})
+            self.assertEqual(response.status_code, 403)
+            self.assertEqual(
+                response.json(), {"detail": "You do not have permission to perform this action."}
+            )
+
     def test_create_delete_images(self):
         with open("tests/market/mock_image.jpg", "rb") as image:
             with open("tests/market/mock_image.jpg", "rb") as image2: