/theater/:id POST for editing

* no api for creation yet though

flasky.py

@@ -189,6 +189,9 @@ def list_theaters(group=None):
 @app.route('/theater/<string:theater_id>/', methods=['GET', 'POST'])
 @crossdomain(origin='*')
 def get_theater(theater_id):
+    '''
+    TODO: cannot add theater yet
+    '''
     if request.method == 'GET':
         result = db.theater.find_one({'_id': bson.objectid.ObjectId(theater_id)})
         r = make_response(dumps(result, default=miscObjHandler))
@@ -202,9 +205,20 @@ def get_theater(theater_id):
         abort(400)
     try:
         key = {'_id': bson.objectid.ObjectId(theater_id)}
-        ## TODO: better verify if group/code is still the same
-        #        otherwise things could get worse w/o any proof before updating
-        result = db.theater.update(key, {'$set': request.json}, False)
+        prev = db.theater.find_one(key)
+        if not prev:
+            abort(500)
+        is_allowed = True
+        for k in ['code', 'group', 'name']:
+            if request.json[k] != prev[k]:
+                is_allowed = False
+        if is_allowed:
+            result = db.theater.update(key, {'$set': request.json}, False)
+        else:
+            result = {  # mimicking mongo update result for consistency
+                'updatedExisting': False, 'ok': 0, 'nModified': 0,
+                'error': "cannot alter mandatory fields",
+            }
         r = make_response(dumps(result, default=miscObjHandler))
         r.mimetype = 'application/json'
         return r

pip_requirements.txt

@@ -2,3 +2,5 @@ requests==2.4.0
 tornado>=4.0
 flask
 python-dateutil
+pymongo
+simplejson