Prevent administrating own lending request

lego/apps/lending/serializers.py

@@ -180,6 +180,8 @@ def validate(self, attrs):
         - If it is a create request, status must be "unapproved".
         - If it is an edit request, and the user does NOT have 'edit' permission
           on the LendableObject, the status can only be "cancelled" or "unapproved".
+        - If it is an edit request and it is the requesting users own lendingrequest
+          the status cannot be "approved", "unapproved", "denied" or "changes_requested"
         """
         attrs = super().validate(attrs)
 
@@ -241,13 +243,17 @@ def validate(self, attrs):
                     raise serializers.ValidationError(
                         {"status": ("You cannot cancel someone else's request.. ")}
                     )
-                if (
-                    self.instance.created_by == user
-                    and new_status
-                    == LENDING_REQUEST_STATUSES["LENDING_APPROVED"]["value"]
-                ):
+                if self.instance.created_by == user and new_status in [
+                    LENDING_REQUEST_STATUSES[status]["value"]
+                    for status in (
+                        "LENDING_APPROVED",
+                        "LENDING_UNAPPROVED",
+                        "LENDING_DENIED",
+                        "LENDING_CHANGES_REQUESTED",
+                    )
+                ]:
                     raise serializers.ValidationError(
-                        {"status": ("You cannot approve your own request.. ")}
+                        {"status": (f"You cannot set {new_status} on your own request.. ")}
                     )
 
         return attrs

lego/apps/lending/tests/test_lendingrequest_api.py

@@ -531,18 +531,20 @@ def test_non_creator_cannot_cancel_request(self):
             "You cannot cancel someone else's request", patch_response.data["status"][0]
         )
 
-    def test_user_cant_approve_own_request(self):
-        """User should not be able to approve own request"""
+    def test_user_cannot_set_admin_only_statuses_on_own_request(self):
+        """User should not be able to set certain statuses if its their own request"""
         self.client.force_authenticate(user=self.creator_user)
-        patch_data = {"status": "approved"}
-        patch_response = self.client.patch(
-            get_lending_request_detail_url(self.request_id), patch_data
-        )
-        self.assertEqual(patch_response.status_code, status.HTTP_400_BAD_REQUEST)
-        self.assertIn("status", patch_response.data)
-        self.assertIn(
-            "You cannot approve your own request", patch_response.data["status"][0]
-        )
+
+        for s in ("approved", "unapproved", "denied", "changes_requested"):
+            patch_data = {"status": s}
+            patch_response = self.client.patch(
+                get_lending_request_detail_url(self.request_id), patch_data
+            )
+            self.assertEqual(patch_response.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertIn("status", patch_response.data)
+            self.assertIn(
+                f"You cannot set {s} on your own request", patch_response.data["status"][0]
+            )
 
     def test_creation_creates_system_linelineentry(self):
         """