[FIX] Security: authorized for api.

12a3283b · delanoe · 45e9d3f3 · 12a3283b · 12a3283b · 12a3283b
Commit 12a3283b authored Sep 21, 2016 by delanoe
Showing with 70 additions and 4 deletions

nodes.py gargantext/views/api/nodes.py +60 -0

bridgeness.py graph/bridgeness.py +3 -0

graph.py graph/graph.py +2 -2

rest.py graph/rest.py +4 -1

myGraphs.html templates/pages/corpora/myGraphs.html +1 -1

No files found.
--- a/gargantext/views/api/nodes.py
+++ b/gargantext/views/api/nodes.py
@@ -78,6 +78,11 @@ class Status(APIView):
    '''API endpoint that represent the current status of the node'''
    renderer_classes = (JSONRenderer, BrowsableAPIRenderer)
    def get(self, request, node_id):
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        user = cache.User[request.user.id]
        check_rights(request, node_id)
        node = session.query(Node).filter(Node.id == node_id, Node.user_id== user.id).first()
@@ -92,9 +97,19 @@ class Status(APIView):
            return Response(context)
    def post(self, request, data):
        '''create a new status for node'''
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        raise NotImplementedError
    def put(self, request, data):
        '''update status for node'''
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        user = cache.User[request.user.id]
        check_rights(request, node_id)
        node = session.query(Node).filter(Node.id == node_id).first()
@@ -105,6 +120,11 @@ class Status(APIView):
    def delete(self, request):
        '''delete status for node'''
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        user = cache.User[request.user.id]
        check_rights(request, node_id)
        node = session.query(Node).filter(Node.id == node_id).first()
@@ -122,6 +142,11 @@ class NodeListResource(APIView):
    def get(self, request):
        """Displays the list of nodes corresponding to the query.
        """
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        parameters, query, count = _query_nodes(request)
        if parameters['formated'] == 'json':
@@ -165,10 +190,15 @@ class NodeListResource(APIView):
        """
    def delete(self, request):
        """Removes the list of nodes corresponding to the query.
        TODO : Should be a delete method!
        """
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        parameters = get_parameters(request)
        parameters = validate(parameters, {'ids': list} )
        try :
@@ -196,6 +226,11 @@ class NodeListHaving(APIView):
    2016-09: add total counts to output json
    '''
    def get(self, request, corpus_id):
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        parameters = get_parameters(request)
        parameters = validate(parameters, {'score': str, 'ngram_ids' : list} )
@@ -261,6 +296,11 @@ class NodeResource(APIView):
    # contains a check on user.id (within _query_nodes)
    def get(self, request, node_id):
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        parameters, query, count = _query_nodes(request, node_id)
        if not len(query):
            raise Http404()
@@ -271,6 +311,11 @@ class NodeResource(APIView):
    # contains a check on user.id (within _query_nodes)
    def delete(self, request, node_id):
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        parameters, query, count = _query_nodes(request, node_id)
        if not len(query):
            raise Http404()
@@ -293,6 +338,11 @@ class NodeResource(APIView):
        TODO 1 factorize with .projects.ProjectView.put and .post (thx c24b)
        TODO 2 allow other changes than name
        """
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        # contains a check on user.id (within _query_nodes)
        parameters, query, count = _query_nodes(request, node_id)
@@ -365,6 +415,11 @@ class CorpusFavorites(APIView):
        (will test if docs 53 and 54 are among the favorites of corpus 2)
        (returns the intersection of fav docs with [53,54])
        """
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        fav_node = self._get_fav_node(corpus_id)
        req_params = validate(
@@ -516,6 +571,11 @@ class CorpusFacet(APIView):
    def get(self, request, node_id):
        # check that the node is a corpus
        #   ? faster from cache than: corpus = session.query(Node)...
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        corpus = cache.Node[node_id]
        if corpus.typename != 'CORPUS':
            raise ValidationException(

--- a/graph/bridgeness.py
+++ b/graph/bridgeness.py
@@ -7,6 +7,9 @@ from collections              import defaultdict
 from networkx.readwrite           import json_graph
 def filterByBridgeness(G,partition,ids,weight,bridgeness,type,field1,field2):
+    '''
+    What is bridgeness ?
+    '''
    # Data are stored in a dict(), (== hashmap by default for Python)
    data = dict()
    if type == "node_link":

--- a/graph/graph.py
+++ b/graph/graph.py
@@ -71,8 +71,8 @@ def get_graph( request=None         , corpus=None
            return {'state': "mapListError", "length" : mapList_size}
-        # case of corpus not big enough
+        # Instantiate query for case of corpus not big enough
-        # ==============================
+        # ===================================================
        corpus_size_query = (session.query(Node)
                                    .filter(Node.typename=="DOCUMENT")
                                    .filter(Node.parent_id == corpus.id)

--- a/graph/rest.py
+++ b/graph/rest.py
@@ -56,7 +56,6 @@ def format_html(link):
 # TODO check authentication
 class Graph(APIView):
    '''
    REST part for graphs.
@@ -69,6 +68,10 @@ class Graph(APIView):
        graph?field1=ngrams&field2=ngrams&start=''&end=''
        '''
+        if not request.user.is_authenticated():
+            # can't use @requires_auth because of positional 'self' within class
+            return HttpResponse('Unauthorized', status=401)
        # Get the node we are working with
        corpus = session.query(Node).filter(Node.id==corpus_id).first()

--- a/templates/pages/corpora/myGraphs.html
+++ b/templates/pages/corpora/myGraphs.html
@@ -37,7 +37,7 @@
                                        <li>From: {% if not  cooc.hyperdata.start  %} begin of corpus {% else %} {{cooc.hyperdata.start}} {% endif %}
                                            , To:   {% if not  cooc.hyperdata.end    %} end   of corpus {% else %} {{cooc.hyperdata.end}}   {% endif %}
                                        </li>
-                                        <li> {{ value }} nodes with distances:
+                                        <li> ~{{ value }} nodes with distances:
                                            <ul>
                                                <li>
                                                <a href="/projects/{{project.id}}/corpora/{{corpus.id}}/explorer?cooc_id={{cooc.id}}&distance=distributional&bridgeness=5">