From 78e7b5b1eccb8577c357077fc17e9a712d77d566 Mon Sep 17 00:00:00 2001
From: Conrado Costa <concosta@redhat.com>
Date: Mon, 28 Oct 2024 14:59:22 -0400
Subject: [PATCH] fix internal acls during serializer update

---
 docs/CHANGELOG.md                       |  1 +
 osidb/serializer.py                     |  9 ++++-
 osidb/tests/endpoints/test_endpoints.py | 44 +++++++++++++++++++++++++
 3 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 740a7d355..cf2183ef8 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 ### Changed
 - Add upstream references to Jira trackers on creation (OSIDB-3148)
+- Change ACL mixin serializer to support internal ACLs (OSIDB-3578)
 
 ## [4.5.2] - 2024-10-24
 ### Changed
diff --git a/osidb/serializer.py b/osidb/serializer.py
index 86be0aa69..de6adae0b 100644
--- a/osidb/serializer.py
+++ b/osidb/serializer.py
@@ -435,7 +435,14 @@ def create(self, validated_data):
         return super().create(validated_data)
 
     def update(self, instance, validated_data):
-        validated_data = self.embargoed2acls(validated_data)
+        # defaults to keep current ACLs
+        validated_data["acl_read"] = instance.acl_read
+        validated_data["acl_write"] = instance.acl_write
+
+        if instance.is_public or instance.is_embargoed:
+            # only allow manual ACL changes between embargoed and public
+            validated_data = self.embargoed2acls(validated_data)
+
         return super().update(instance, validated_data)
 
 
diff --git a/osidb/tests/endpoints/test_endpoints.py b/osidb/tests/endpoints/test_endpoints.py
index 350ff1625..ae1609c37 100644
--- a/osidb/tests/endpoints/test_endpoints.py
+++ b/osidb/tests/endpoints/test_endpoints.py
@@ -162,6 +162,50 @@ def test_flaw_update(
         assert flaw.acl_read == self.hash_acl(acl_read)
         assert flaw.acl_write == self.hash_acl(acl_write)
 
+    def test_internal_flaw_update(
+        self,
+        auth_client,
+        test_api_uri,
+    ):
+        """
+        test serializer does not change ACLs from internal flaws
+        """
+        internal_read = [
+            uuid.UUID(acl) for acl in generate_acls([settings.INTERNAL_READ_GROUP])
+        ]
+        internal_write = [
+            uuid.UUID(acl) for acl in generate_acls([settings.INTERNAL_WRITE_GROUP])
+        ]
+        flaw = FlawFactory(
+            embargoed=False,
+            acl_read=internal_read,
+            acl_write=internal_write,
+        )
+        AffectFactory(flaw=flaw)
+        assert flaw.is_internal
+
+        response = auth_client().get(f"{test_api_uri}/flaws/{flaw.uuid}")
+        assert response.status_code == 200
+        original_body = response.json()
+        assert not original_body["embargoed"]
+
+        response = auth_client().put(
+            f"{test_api_uri}/flaws/{flaw.uuid}",
+            {
+                "title": f"{flaw.title} appended test title",
+                "comment_zero": flaw.comment_zero,
+                "owner": "example@redhat.com",
+                "embargoed": False,
+                "updated_dt": flaw.updated_dt,
+            },
+            format="json",
+            HTTP_BUGZILLA_API_KEY="SECRET",
+            HTTP_JIRA_API_KEY="SECRET",
+        )
+        assert response.status_code == 200
+        flaw = Flaw.objects.get(uuid=flaw.uuid)
+        assert flaw.is_internal
+
     @freeze_time(datetime(2021, 11, 23, tzinfo=timezone.get_current_timezone()))
     def test_flaw_unembargo(self, auth_client, test_api_uri):
         """