[FIX] Security: authorized for api.

gargantext/views/api/nodes.py

@@ -78,6 +78,11 @@ class Status(APIView):
     '''API endpoint that represent the current status of the node'''
     renderer_classes = (JSONRenderer, BrowsableAPIRenderer)
     def get(self, request, node_id):
+
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         user = cache.User[request.user.id]
         check_rights(request, node_id)
         node = session.query(Node).filter(Node.id == node_id, Node.user_id== user.id).first()
@@ -92,9 +97,19 @@ class Status(APIView):
             return Response(context)
     def post(self, request, data):
         '''create a new status for node'''
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         raise NotImplementedError
+    
     def put(self, request, data):
         '''update status for node'''
+        
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         user = cache.User[request.user.id]
         check_rights(request, node_id)
         node = session.query(Node).filter(Node.id == node_id).first()
@@ -105,6 +120,11 @@ class Status(APIView):
 
     def delete(self, request):
         '''delete status for node'''
+
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         user = cache.User[request.user.id]
         check_rights(request, node_id)
         node = session.query(Node).filter(Node.id == node_id).first()
@@ -122,6 +142,11 @@ class NodeListResource(APIView):
     def get(self, request):
         """Displays the list of nodes corresponding to the query.
         """
+
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         parameters, query, count = _query_nodes(request)
 
         if parameters['formated'] == 'json':
@@ -165,10 +190,15 @@ class NodeListResource(APIView):
         """
 
 
+
     def delete(self, request):
         """Removes the list of nodes corresponding to the query.
         TODO : Should be a delete method!
         """
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         parameters = get_parameters(request)
         parameters = validate(parameters, {'ids': list} )
         try :
@@ -196,6 +226,11 @@ class NodeListHaving(APIView):
     2016-09: add total counts to output json
     '''
     def get(self, request, corpus_id):
+
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         parameters = get_parameters(request)
         parameters = validate(parameters, {'score': str, 'ngram_ids' : list} )
 
@@ -261,6 +296,11 @@ class NodeResource(APIView):
 
     # contains a check on user.id (within _query_nodes)
     def get(self, request, node_id):
+
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         parameters, query, count = _query_nodes(request, node_id)
         if not len(query):
             raise Http404()
@@ -271,6 +311,11 @@ class NodeResource(APIView):
 
     # contains a check on user.id (within _query_nodes)
     def delete(self, request, node_id):
+
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         parameters, query, count = _query_nodes(request, node_id)
         if not len(query):
             raise Http404()
@@ -293,6 +338,11 @@ class NodeResource(APIView):
         TODO 1 factorize with .projects.ProjectView.put and .post (thx c24b)
         TODO 2 allow other changes than name
         """
+
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         # contains a check on user.id (within _query_nodes)
         parameters, query, count = _query_nodes(request, node_id)
 
@@ -365,6 +415,11 @@ class CorpusFavorites(APIView):
         (will test if docs 53 and 54 are among the favorites of corpus 2)
         (returns the intersection of fav docs with [53,54])
         """
+        
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+        
         fav_node = self._get_fav_node(corpus_id)
 
         req_params = validate(
@@ -516,6 +571,11 @@ class CorpusFacet(APIView):
     def get(self, request, node_id):
         # check that the node is a corpus
         #   ? faster from cache than: corpus = session.query(Node)...
+
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         corpus = cache.Node[node_id]
         if corpus.typename != 'CORPUS':
             raise ValidationException(

graph/bridgeness.py

@@ -7,6 +7,9 @@ from collections              import defaultdict
 from networkx.readwrite           import json_graph
 
 def filterByBridgeness(G,partition,ids,weight,bridgeness,type,field1,field2):
+    '''
+    What is bridgeness ?
+    '''
     # Data are stored in a dict(), (== hashmap by default for Python)
     data = dict()
     if type == "node_link":

graph/graph.py

@@ -71,8 +71,8 @@ def get_graph( request=None         , corpus=None
             return {'state': "mapListError", "length" : mapList_size}
 
 
-        # case of corpus not big enough
-        # ==============================
+        # Instantiate query for case of corpus not big enough
+        # ===================================================
         corpus_size_query = (session.query(Node)
                                     .filter(Node.typename=="DOCUMENT")
                                     .filter(Node.parent_id == corpus.id)

graph/rest.py

@@ -56,7 +56,6 @@ def format_html(link):
 
 
 # TODO check authentication
-
 class Graph(APIView):
     '''
     REST part for graphs.
@@ -69,6 +68,10 @@ class Graph(APIView):
         graph?field1=ngrams&field2=ngrams&start=''&end=''
         '''
 
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
+
         # Get the node we are working with
         corpus = session.query(Node).filter(Node.id==corpus_id).first()
 

templates/pages/corpora/myGraphs.html

@@ -37,7 +37,7 @@
                                         <li>From: {% if not  cooc.hyperdata.start  %} begin of corpus {% else %} {{cooc.hyperdata.start}} {% endif %}
                                             , To:   {% if not  cooc.hyperdata.end    %} end   of corpus {% else %} {{cooc.hyperdata.end}}   {% endif %}
                                         </li>
-                                        <li> {{ value }} nodes with distances:
+                                        <li> ~{{ value }} nodes with distances:
                                             <ul>
                                                 <li>
                                                 <a href="/projects/{{project.id}}/corpora/{{corpus.id}}/explorer?cooc_id={{cooc.id}}&distance=distributional&bridgeness=5">