From 6c31b8fb3033f1cd9f559c43cef0752b63f6a21b Mon Sep 17 00:00:00 2001
From: Tom Hacohen <tom@stosb.com>
Date: Wed, 27 May 2020 16:59:24 +0300
Subject: [PATCH] CollectionItemView: disallow normal item creation

People should only use transaction/batch
---
 django_etesync/views.py | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/django_etesync/views.py b/django_etesync/views.py
index 38919a8..1ba5fd1 100644
--- a/django_etesync/views.py
+++ b/django_etesync/views.py
@@ -222,22 +222,8 @@ class CollectionItemViewSet(BaseViewSet):
         return context
 
     def create(self, request, collection_uid=None):
-        collection_object = get_object_or_404(self.get_collection_queryset(Collection.objects), uid=collection_uid)
-
-        # FIXME: change this to also support bulk update, or have another endpoint for that.
-        # See https://www.django-rest-framework.org/api-guide/serializers/#customizing-multiple-update
-        many = isinstance(request.data, list)
-        serializer = self.serializer_class(data=request.data, many=many)
-        if serializer.is_valid():
-            try:
-                serializer.save(collection=collection_object)
-            except IntegrityError:
-                content = {'code': 'integrity_error'}
-                return Response(content, status=status.HTTP_400_BAD_REQUEST)
-
-            return Response({}, status=status.HTTP_201_CREATED)
-
-        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+        # We create using batch and transaction
+        return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
 
     def destroy(self, request, collection_uid=None, uid=None):
         # We can't have destroy because we need to get data from the user (in the body) such as hmac.