Merge branch 'ziotom78:master' into master

CHANGELOG.md

@@ -1,5 +1,9 @@
 # HEAD
 
+# Version 2.0.2
+
+-   Make sure that unauthorized users cannot browse the contents of the database [#128](https://github.com/ziotom78/instrumentdb/pull/128)
+
 # Version 2.0.1
 
 -   Make the links in the top bar active when appropriate [#125](https://github.com/ziotom78/instrumentdb/pull/125)

browse/views.py

@@ -76,7 +76,7 @@ def entity_tree_view(request):
     )
 
 
-class EntityView(DetailView):
+class EntityView(LoginRequiredMixin, DetailView):
     model = Entity
 
     def get_context_data(self, **kwargs):
@@ -92,7 +92,7 @@ def get_context_data(self, **kwargs):
 ###########################################################################
 
 
-class QuantityView(DetailView):
+class QuantityView(LoginRequiredMixin, DetailView):
     model = Quantity
 
     def get_context_data(self, **kwargs):
@@ -108,7 +108,7 @@ def get_context_data(self, **kwargs):
 ###########################################################################
 
 
-class DataFileView(DetailView):
+class DataFileView(LoginRequiredMixin, DetailView):
     model = DataFile
 
     def get_context_data(self, **kwargs):
@@ -121,11 +121,11 @@ def get_context_data(self, **kwargs):
         return context
 
 
-class FormatSpecificationListView(ListView):
+class FormatSpecificationListView(LoginRequiredMixin, ListView):
     model = FormatSpecification
 
 
-class FormatSpecificationDownloadView(View):
+class FormatSpecificationDownloadView(LoginRequiredMixin, View):
     def get(self, request, pk):
         "Allow the user to download a data file"
 
@@ -148,7 +148,7 @@ def get(self, request, pk):
         return resp
 
 
-class DataFileDownloadView(View):
+class DataFileDownloadView(LoginRequiredMixin, View):
     def get(self, request, pk):
         "Allow the user to download a data file"
 
@@ -169,7 +169,7 @@ def get(self, request, pk):
         return resp
 
 
-class DataFilePlotDownloadView(View):
+class DataFilePlotDownloadView(LoginRequiredMixin, View):
     def get(self, request, pk):
         "Allow the user to download the plot associated with a data file"
 
@@ -191,26 +191,24 @@ def get(self, request, pk):
         return resp
 
 
-class ReleaseDocumentDownloadView(View):
-    def get(self, request, pk):
-        "Allow the user to download a release document"
-
-        cur_object = get_object_or_404(Release, pk=pk)
-        release_document_data = cur_object.release_document
+@login_required
+def download_release_document(request, pk):
+    cur_object = get_object_or_404(Release, pk=pk)
+    release_document_data = cur_object.release_document
 
-        try:
-            release_document_data.open()
-        except ValueError:
-            raise Http404("The release document was not uploaded to the database")
+    try:
+        release_document_data.open()
+    except ValueError:
+        raise Http404("The release document was not uploaded to the database")
 
-        data = release_document_data.read()
-        resp = HttpResponse(data, content_type=cur_object.release_document_mime_type)
+    data = release_document_data.read()
+    resp = HttpResponse(data, content_type=cur_object.release_document_mime_type)
 
-        resp["Content-Disposition"] = 'filename="{name}{ext}"'.format(
-            name=cur_object.tag,
-            ext=mimetypes.guess_extension(cur_object.release_document_mime_type),
-        )
-        return resp
+    resp["Content-Disposition"] = 'filename="{name}{ext}"'.format(
+        name=cur_object.tag,
+        ext=mimetypes.guess_extension(cur_object.release_document_mime_type),
+    )
+    return resp
 
 
 ###########################################################################
@@ -222,7 +220,7 @@ class ReleaseListView(LoginRequiredMixin, ListView):
     ordering = ["-tag"]
 
 
-class ReleaseView(DetailView):
+class ReleaseView(LoginRequiredMixin, DetailView):
     model = Release
 
     def get_context_data(self, **kwargs):
@@ -235,7 +233,7 @@ def get_context_data(self, **kwargs):
         return context
 
 
-class ReleaseDownloadView(View):
+class ReleaseDownloadView(LoginRequiredMixin, View):
     def get(self, request, pk):
         "Allow the user to download a release JSON file"
 
@@ -384,6 +382,9 @@ def navigate_tree_of_entities(url_components: List[str]) -> Entity:
     # `/tree/satellite//telescope/cad`.)
     url_components = [x for x in url_components if x != ""]
 
+    if not url_components:
+        raise Http404("Empty path to entity")
+
     matching_entries = Entity.objects.filter(name=url_components[0])
 
     # We are looking for a root node

instrumentdb/__init__.py

@@ -1 +1 @@
-__version__ = "2.0.1"
+__version__ = "2.0.2"

instrumentdb/urls.py

@@ -31,7 +31,7 @@
     FormatSpecificationListView,
     FormatSpecificationDownloadView,
     QuantityView,
-    ReleaseDocumentDownloadView,
+    download_release_document,
     ReleaseListView,
     ReleaseView,
     UserViewSet,
@@ -101,7 +101,7 @@
     ),
     path(
         "browse/releases/<pk>/document/",
-        ReleaseDocumentDownloadView.as_view(),
+        download_release_document,
         name="release-document-download-view",
     ),
     path(

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "instrumentdb"
-version = "2.0.1"
+version = "2.0.2"
 description = ""
 authors = ["Maurizio Tomasi <[email protected]>"]
 
@@ -14,7 +14,7 @@ django-filter = "^2.2.0"
 pyyaml = "^6.0.0"
 django-mptt = "^0.14.0"
 drf-yasg = "^1.21.7"
-gitpython = "^3.1.37"
+gitpython = "^3.1.41"
 envparse = "^0.2.0"
 sphinx = "^5.1.1"
 django-sslserver = "^0.22"

tests/test_webapi.py

@@ -34,6 +34,7 @@ def _create_test_user_and_authenticate(client, superuser: bool):
         )
 
     client.force_authenticate(user=test_user)
+    return test_user
 
 
 def create_format_spec(client, document_ref):
@@ -139,7 +140,9 @@ def create_release_spec(client, tag, comment="", data_files=[]):
 
 class FormatSpecificationTests(APITestCase):
     def setUp(self) -> None:
-        _create_test_user_and_authenticate(client=self.client, superuser=True)
+        self.user = _create_test_user_and_authenticate(
+            client=self.client, superuser=True
+        )
 
     def test_create_format_spec(self):
         """
@@ -157,7 +160,9 @@ def test_create_format_spec(self):
 
 class EntityTests(APITestCase):
     def setUp(self) -> None:
-        _create_test_user_and_authenticate(client=self.client, superuser=True)
+        self.user = _create_test_user_and_authenticate(
+            client=self.client, superuser=True
+        )
 
     def test_create_entity(self):
         """
@@ -233,7 +238,9 @@ def test_look_for_nonexistent_quantity(self):
 
 class QuantityTests(APITestCase):
     def setUp(self):
-        _create_test_user_and_authenticate(client=self.client, superuser=True)
+        self.user = _create_test_user_and_authenticate(
+            client=self.client, superuser=True
+        )
 
         self.formatspec_response = create_format_spec(self.client, "DUMMY_REF_001")
         self.assertEqual(self.formatspec_response.status_code, status.HTTP_201_CREATED)
@@ -272,7 +279,9 @@ def test_look_for_nonexistent_quantity(self):
 
 class DataFileTests(APITestCase):
     def setUp(self):
-        _create_test_user_and_authenticate(client=self.client, superuser=True)
+        self.user = _create_test_user_and_authenticate(
+            client=self.client, superuser=True
+        )
 
         self.formatspec_response = create_format_spec(self.client, "DUMMY_REF_001")
         self.assertEqual(self.formatspec_response.status_code, status.HTTP_201_CREATED)
@@ -338,7 +347,9 @@ def test_create_datafile_with_wrong_metadata(self):
 
 class ReleaseTests(APITestCase):
     def setUp(self):
-        _create_test_user_and_authenticate(client=self.client, superuser=True)
+        self.user = _create_test_user_and_authenticate(
+            client=self.client, superuser=True
+        )
 
         self.formatspec_response = create_format_spec(self.client, "DUMMY_REF_001")
         self.entity_response = create_entity_spec(self.client, "test_entity")
@@ -359,6 +370,8 @@ def test_create_release(self):
         """
         Ensure we can create a new Release object.
         """
+        self.client.force_login(self.user)
+
         response = create_release_spec(self.client, "v1.0")
 
         # Check the result of the POST call
@@ -395,7 +408,7 @@ def test_create_release(self):
 
         # Download the release document
 
-        response = self.client.get("/browse/releases/v1.0/document/")
+        response = self.client.get("/browse/releases/v1.0/document/", follow=True)
         self.assertEqual(response.content, b"Contents of the release document")