#31 API Tests

* writes test for sharing using the API
* fixes bug on frontend form where an exception occured on generating a new API token if no token existed, yet
* adds permission constraint (default group) for using the api in general
* fixes default-group-only behaviour for sharing-API, so users can only add new users and not removing them, as long as they do not have any other group membership like registration or conservation office
* changes 'ksptoken' to 'Ksptoken' to match CGI standard for http header keys

api/views/views.py

@@ -18,6 +18,7 @@ from compensation.models import EcoAccount
 from ema.models import Ema
 from intervention.models import Intervention
 from konova.utils.message_templates import DATA_UNSHARED
+from konova.utils.user_checks import is_default_group_only
 from user.models import User
 
 
@@ -39,6 +40,8 @@ class AbstractAPIView(View):
         try:
             # Fetch the proper user from the given request header token
             self.user = APIUserToken.get_user_from_token(request.headers.get(KSP_TOKEN_HEADER_IDENTIFIER, None))
+            if not self.user.is_default_user():
+                raise PermissionError("Default permissions required")
         except PermissionError as e:
             return self.return_error_response(e, 403)
         return super().dispatch(request, *args, **kwargs)
@@ -240,6 +243,15 @@ class AbstractModelShareAPIView(AbstractAPIView):
         new_users_objs = []
         for user in new_users:
             new_users_objs.append(User.objects.get(username=user))
+
+        if is_default_group_only(self.user):
+            # Default only users are not allowed to remove other users from having access. They can only add new ones!
+            new_users_to_be_added = User.objects.filter(
+                username__in=new_users
+            ).exclude(
+                id__in=obj.shared_users
+            )
+            new_users_objs = obj.shared_users.union(new_users_to_be_added)
         obj.share_with_list(new_users_objs)
         return True