From 3a2295487c1ae94b2fc3fb0ddf7f1754b834e107 Mon Sep 17 00:00:00 2001 From: Patrick Jentsch Date: Tue, 11 Apr 2023 11:46:33 +0200 Subject: [PATCH] Fix some privacy issues --- app/contributions/__init__.py | 13 +++++++++++++ app/contributions/routes.py | 2 -- .../spacy_nlp_pipeline_models/json_routes.py | 4 +--- .../spacy_nlp_pipeline_models/routes.py | 7 +++---- .../tesseract_ocr_pipeline_models/json_routes.py | 4 +--- .../tesseract_ocr_pipeline_models/routes.py | 9 ++++----- .../transkribus_htr_pipeline_models/routes.py | 2 -- app/corpora/__init__.py | 13 +++++++++++++ app/corpora/files/json_routes.py | 2 -- app/corpora/files/routes.py | 5 ----- app/corpora/followers/json_routes.py | 5 +---- app/corpora/json_routes.py | 6 +----- app/corpora/routes.py | 9 +-------- app/jobs/__init__.py | 13 +++++++++++++ app/jobs/json_routes.py | 5 +---- app/jobs/routes.py | 14 +++----------- app/main/routes.py | 1 + app/models.py | 2 +- app/services/__init__.py | 12 ++++++++++++ app/services/routes.py | 8 +------- app/settings/__init__.py | 12 ++++++++++++ app/templates/admin/user.html.j2 | 4 +++- app/users/__init__.py | 12 ++++++++++++ app/users/json_routes.py | 3 +-- app/users/routes.py | 7 ++----- app/users/settings/json_routes.py | 4 +--- app/users/settings/routes.py | 3 +-- 27 files changed, 102 insertions(+), 79 deletions(-) diff --git a/app/contributions/__init__.py b/app/contributions/__init__.py index 478631f9..5a7ddf1b 100644 --- a/app/contributions/__init__.py +++ b/app/contributions/__init__.py @@ -1,7 +1,20 @@ from flask import Blueprint +from flask_login import login_required bp = Blueprint('contributions', __name__) + + +@bp.before_request +@login_required +def before_request(): + ''' + Ensures that the routes in this package can only be visited by users that + are logged in. + ''' + pass + + from . import routes from . import spacy_nlp_pipeline_models from . import tesseract_ocr_pipeline_models diff --git a/app/contributions/routes.py b/app/contributions/routes.py index 4bdc5cc7..82fc63ba 100644 --- a/app/contributions/routes.py +++ b/app/contributions/routes.py @@ -1,11 +1,9 @@ from flask import redirect, url_for from flask_breadcrumbs import register_breadcrumb -from flask_login import login_required from . import bp @bp.route('') @register_breadcrumb(bp, '.', 'new_labelMy Contributions') -@login_required def contributions(): return redirect(url_for('main.dashboard', _anchor='contributions')) diff --git a/app/contributions/spacy_nlp_pipeline_models/json_routes.py b/app/contributions/spacy_nlp_pipeline_models/json_routes.py index 9d05b165..073eaa5e 100644 --- a/app/contributions/spacy_nlp_pipeline_models/json_routes.py +++ b/app/contributions/spacy_nlp_pipeline_models/json_routes.py @@ -1,5 +1,5 @@ from flask import abort, current_app, request -from flask_login import login_required, current_user +from flask_login import current_user from threading import Thread from app import db from app.decorators import content_negotiation, permission_required @@ -8,7 +8,6 @@ from .. import bp @bp.route('/spacy-nlp-pipeline-models/', methods=['DELETE']) -@login_required @content_negotiation(produces='application/json') def delete_spacy_model(spacy_nlp_pipeline_model_id): def _delete_spacy_model(app, spacy_nlp_pipeline_model_id): @@ -33,7 +32,6 @@ def delete_spacy_model(spacy_nlp_pipeline_model_id): @bp.route('/spacy-nlp-pipeline-models//is_public', methods=['PUT']) -@login_required @permission_required('CONTRIBUTE') @content_negotiation(consumes='application/json', produces='application/json') def update_spacy_nlp_pipeline_model_is_public(spacy_nlp_pipeline_model_id): diff --git a/app/contributions/spacy_nlp_pipeline_models/routes.py b/app/contributions/spacy_nlp_pipeline_models/routes.py index f53d55f1..a3afbe55 100644 --- a/app/contributions/spacy_nlp_pipeline_models/routes.py +++ b/app/contributions/spacy_nlp_pipeline_models/routes.py @@ -1,6 +1,6 @@ from flask import abort, flash, redirect, render_template, url_for from flask_breadcrumbs import register_breadcrumb -from flask_login import current_user, login_required +from flask_login import current_user from app import db from app.models import SpaCyNLPPipelineModel from . import bp @@ -15,7 +15,6 @@ from .utils import ( @bp.route('/spacy-nlp-pipeline-models') @register_breadcrumb(bp, '.spacy_nlp_pipeline_models', 'SpaCy NLP Pipeline Models') -@login_required def spacy_nlp_pipeline_models(): return render_template( 'contributions/spacy_nlp_pipeline_models/spacy_nlp_pipeline_models.html.j2', @@ -25,7 +24,6 @@ def spacy_nlp_pipeline_models(): @bp.route('/spacy-nlp-pipeline-models/create', methods=['GET', 'POST']) @register_breadcrumb(bp, '.spacy_nlp_pipeline_models.create', 'Create') -@login_required def create_spacy_nlp_pipeline_model(): form = CreateSpaCyNLPPipelineModelForm() if form.is_submitted(): @@ -60,9 +58,10 @@ def create_spacy_nlp_pipeline_model(): @bp.route('/spacy-nlp-pipeline-models/', methods=['GET', 'POST']) @register_breadcrumb(bp, '.spacy_nlp_pipeline_models.entity', '', dynamic_list_constructor=spacy_nlp_pipeline_model_dlc) -@login_required def spacy_nlp_pipeline_model(spacy_nlp_pipeline_model_id): snpm = SpaCyNLPPipelineModel.query.get_or_404(spacy_nlp_pipeline_model_id) + if not (snpm.user == current_user or current_user.is_administrator()): + abort(403) form = UpdateSpaCyNLPPipelineModelForm(data=snpm.to_json_serializeable()) if form.validate_on_submit(): form.populate_obj(snpm) diff --git a/app/contributions/tesseract_ocr_pipeline_models/json_routes.py b/app/contributions/tesseract_ocr_pipeline_models/json_routes.py index 29a9f373..22f09e1b 100644 --- a/app/contributions/tesseract_ocr_pipeline_models/json_routes.py +++ b/app/contributions/tesseract_ocr_pipeline_models/json_routes.py @@ -1,5 +1,5 @@ from flask import abort, current_app, request -from flask_login import login_required, current_user +from flask_login import current_user from threading import Thread from app import db from app.decorators import content_negotiation, permission_required @@ -8,7 +8,6 @@ from . import bp @bp.route('/tesseract-ocr-pipeline-models/', methods=['DELETE']) -@login_required @content_negotiation(produces='application/json') def delete_tesseract_model(tesseract_ocr_pipeline_model_id): def _delete_tesseract_ocr_pipeline_model(app, tesseract_ocr_pipeline_model_id): @@ -33,7 +32,6 @@ def delete_tesseract_model(tesseract_ocr_pipeline_model_id): @bp.route('/tesseract-ocr-pipeline-models//is_public', methods=['PUT']) -@login_required @permission_required('CONTRIBUTE') @content_negotiation(consumes='application/json', produces='application/json') def update_tesseract_ocr_pipeline_model_is_public(tesseract_ocr_pipeline_model_id): diff --git a/app/contributions/tesseract_ocr_pipeline_models/routes.py b/app/contributions/tesseract_ocr_pipeline_models/routes.py index e0261e80..c35b0419 100644 --- a/app/contributions/tesseract_ocr_pipeline_models/routes.py +++ b/app/contributions/tesseract_ocr_pipeline_models/routes.py @@ -1,6 +1,6 @@ -from flask import abort, flash, redirect, render_template, request, url_for +from flask import abort, flash, redirect, render_template, url_for from flask_breadcrumbs import register_breadcrumb -from flask_login import current_user, login_required +from flask_login import current_user from app import db from app.models import TesseractOCRPipelineModel from . import bp @@ -15,7 +15,6 @@ from .utils import ( @bp.route('/tesseract-ocr-pipeline-models') @register_breadcrumb(bp, '.tesseract_ocr_pipeline_models', 'Tesseract OCR Pipeline Models') -@login_required def tesseract_ocr_pipeline_models(): return render_template( 'contributions/tesseract_ocr_pipeline_models/tesseract_ocr_pipeline_models.html.j2', @@ -25,7 +24,6 @@ def tesseract_ocr_pipeline_models(): @bp.route('/tesseract-ocr-pipeline-models/create', methods=['GET', 'POST']) @register_breadcrumb(bp, '.tesseract_ocr_pipeline_models.create', 'Create') -@login_required def create_tesseract_ocr_pipeline_model(): form = CreateTesseractOCRPipelineModelForm() if form.is_submitted(): @@ -59,9 +57,10 @@ def create_tesseract_ocr_pipeline_model(): @bp.route('/tesseract-ocr-pipeline-models/', methods=['GET', 'POST']) @register_breadcrumb(bp, '.tesseract_ocr_pipeline_models.entity', '', dynamic_list_constructor=tesseract_ocr_pipeline_model_dlc) -@login_required def tesseract_ocr_pipeline_model(tesseract_ocr_pipeline_model_id): topm = TesseractOCRPipelineModel.query.get_or_404(tesseract_ocr_pipeline_model_id) + if not (topm.user == current_user or current_user.is_administrator()): + abort(403) form = UpdateTesseractOCRPipelineModelForm(data=topm.to_json_serializeable()) if form.validate_on_submit(): form.populate_obj(topm) diff --git a/app/contributions/transkribus_htr_pipeline_models/routes.py b/app/contributions/transkribus_htr_pipeline_models/routes.py index 317ff9b9..dc698c0f 100644 --- a/app/contributions/transkribus_htr_pipeline_models/routes.py +++ b/app/contributions/transkribus_htr_pipeline_models/routes.py @@ -1,9 +1,7 @@ from flask import abort -from flask_login import login_required from . import bp @bp.route('/transkribus_htr_pipeline_models') -@login_required def transkribus_htr_pipeline_models(): return abort(503) diff --git a/app/corpora/__init__.py b/app/corpora/__init__.py index af734b0c..3766f2a6 100644 --- a/app/corpora/__init__.py +++ b/app/corpora/__init__.py @@ -1,7 +1,20 @@ from flask import Blueprint +from flask_login import login_required bp = Blueprint('corpora', __name__) + + +@bp.before_request +@login_required +def before_request(): + ''' + Ensures that the routes in this package can only be visited by users that + are logged in. + ''' + pass + + from . import cqi_over_socketio, routes, json_routes from . import files from . import followers diff --git a/app/corpora/files/json_routes.py b/app/corpora/files/json_routes.py index 2e40775d..faa5f233 100644 --- a/app/corpora/files/json_routes.py +++ b/app/corpora/files/json_routes.py @@ -1,5 +1,4 @@ from flask import current_app, jsonify -from flask_login import login_required from threading import Thread from app import db from app.decorators import content_negotiation @@ -9,7 +8,6 @@ from . import bp @bp.route('//files/', methods=['DELETE']) -@login_required @corpus_follower_permission_required('REMOVE_CORPUS_FILE') @content_negotiation(produces='application/json') def delete_corpus_file(corpus_id, corpus_file_id): diff --git a/app/corpora/files/routes.py b/app/corpora/files/routes.py index 7dca50a2..108acf1a 100644 --- a/app/corpora/files/routes.py +++ b/app/corpora/files/routes.py @@ -7,7 +7,6 @@ from flask import ( url_for ) from flask_breadcrumbs import register_breadcrumb -from flask_login import login_required import os from app import db from app.models import Corpus, CorpusFile, CorpusStatus @@ -22,14 +21,12 @@ from .utils import ( @bp.route('//files') @register_breadcrumb(bp, '.entity.files', 'Files', endpoint_arguments_constructor=corpus_eac) -@login_required def corpus_files(corpus_id): return redirect(url_for('.corpus', _anchor='files', corpus_id=corpus_id)) @bp.route('//files/create', methods=['GET', 'POST']) @register_breadcrumb(bp, '.entity.files.create', 'Create', endpoint_arguments_constructor=corpus_eac) -@login_required @corpus_follower_permission_required('ADD_CORPUS_FILE') def create_corpus_file(corpus_id): corpus = Corpus.query.get_or_404(corpus_id) @@ -72,7 +69,6 @@ def create_corpus_file(corpus_id): @bp.route('//files/', methods=['GET', 'POST']) @register_breadcrumb(bp, '.entity.files.entity', '', dynamic_list_constructor=corpus_file_dlc) -@login_required @corpus_follower_permission_required('UPDATE_CORPUS_FILE') def corpus_file(corpus_id, corpus_file_id): corpus_file = CorpusFile.query.filter_by(corpus_id=corpus_id, id=corpus_file_id).first_or_404() @@ -94,7 +90,6 @@ def corpus_file(corpus_id, corpus_file_id): @bp.route('//files//download') -@login_required @corpus_follower_permission_required('VIEW') def download_corpus_file(corpus_id, corpus_file_id): corpus_file = CorpusFile.query.filter_by(corpus_id=corpus_id, id=corpus_file_id).first_or_404() diff --git a/app/corpora/followers/json_routes.py b/app/corpora/followers/json_routes.py index 88fa81d2..7c16a838 100644 --- a/app/corpora/followers/json_routes.py +++ b/app/corpora/followers/json_routes.py @@ -1,5 +1,5 @@ from flask import abort, jsonify, request -from flask_login import current_user, login_required +from flask_login import current_user from app import db from app.decorators import content_negotiation from app.models import ( @@ -13,7 +13,6 @@ from . import bp @bp.route('//followers', methods=['POST']) -@login_required @corpus_owner_or_admin_required @content_negotiation(consumes='application/json', produces='application/json') def create_corpus_followers(corpus_id): @@ -35,7 +34,6 @@ def create_corpus_followers(corpus_id): @bp.route('//followers//role', methods=['PUT']) -@login_required @corpus_owner_or_admin_required @content_negotiation(consumes='application/json', produces='application/json') def update_corpus_follower_role(corpus_id, follower_id): @@ -58,7 +56,6 @@ def update_corpus_follower_role(corpus_id, follower_id): @bp.route('//followers/', methods=['DELETE']) -@login_required @content_negotiation(produces='application/json') def delete_corpus_follower(corpus_id, follower_id): corpus = Corpus.query.get_or_404(corpus_id) diff --git a/app/corpora/json_routes.py b/app/corpora/json_routes.py index 0494e1e5..e8142cf5 100644 --- a/app/corpora/json_routes.py +++ b/app/corpora/json_routes.py @@ -6,7 +6,7 @@ from flask import ( request, url_for ) -from flask_login import current_user, login_required +from flask_login import current_user from threading import Thread from .decorators import corpus_follower_permission_required, corpus_owner_or_admin_required from app import db, hashids @@ -16,7 +16,6 @@ from . import bp @bp.route('/', methods=['DELETE']) -@login_required @corpus_owner_or_admin_required @content_negotiation(produces='application/json') def delete_corpus(corpus_id): @@ -42,7 +41,6 @@ def delete_corpus(corpus_id): @bp.route('//build', methods=['POST']) -@login_required @corpus_owner_or_admin_required @content_negotiation(produces='application/json') def build_corpus(corpus_id): @@ -71,7 +69,6 @@ def build_corpus(corpus_id): @bp.route('//generate-share-link', methods=['POST']) -@login_required @corpus_follower_permission_required('GENERATE_SHARE_LINK') @content_negotiation(consumes='application/json', produces='application/json') def generate_corpus_share_link(corpus_id): @@ -108,7 +105,6 @@ def generate_corpus_share_link(corpus_id): @bp.route('//is_public', methods=['PUT']) -@login_required @corpus_owner_or_admin_required @content_negotiation(consumes='application/json', produces='application/json') def update_corpus_is_public(corpus_id): diff --git a/app/corpora/routes.py b/app/corpora/routes.py index ae5069fa..ccb70760 100644 --- a/app/corpora/routes.py +++ b/app/corpora/routes.py @@ -1,6 +1,6 @@ from flask import abort, flash, redirect, render_template, url_for from flask_breadcrumbs import register_breadcrumb -from flask_login import current_user, login_required +from flask_login import current_user from .decorators import corpus_follower_permission_required from app import db from app.models import ( @@ -19,14 +19,12 @@ from .utils import ( @bp.route('') @register_breadcrumb(bp, '.', 'IMy Corpora') -@login_required def corpora(): return redirect(url_for('main.dashboard', _anchor='corpora')) @bp.route('/create', methods=['GET', 'POST']) @register_breadcrumb(bp, '.create', 'Create') -@login_required def create_corpus(): form = CreateCorpusForm() if form.validate_on_submit(): @@ -50,7 +48,6 @@ def create_corpus(): @bp.route('/') @register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=corpus_dlc) -@login_required def corpus(corpus_id): corpus = Corpus.query.get_or_404(corpus_id) corpus_follower_roles = CorpusFollowerRole.query.all() @@ -77,7 +74,6 @@ def corpus(corpus_id): @bp.route('//analyse') @register_breadcrumb(bp, '.entity.analyse', 'Analyse', endpoint_arguments_constructor=corpus_eac) -@login_required @corpus_follower_permission_required('VIEW') def analyse_corpus(corpus_id): corpus = Corpus.query.get_or_404(corpus_id) @@ -89,7 +85,6 @@ def analyse_corpus(corpus_id): @bp.route('//follow/') -@login_required def follow_corpus(corpus_id, token): corpus = Corpus.query.get_or_404(corpus_id) if current_user.follow_corpus_by_token(token): @@ -101,13 +96,11 @@ def follow_corpus(corpus_id, token): @bp.route('/import', methods=['GET', 'POST']) @register_breadcrumb(bp, '.import', 'Import') -@login_required def import_corpus(): abort(503) @bp.route('//export') @register_breadcrumb(bp, '.entity.export', 'Export', endpoint_arguments_constructor=corpus_eac) -@login_required def export_corpus(corpus_id): abort(503) diff --git a/app/jobs/__init__.py b/app/jobs/__init__.py index 11b2ad36..1350e7e1 100644 --- a/app/jobs/__init__.py +++ b/app/jobs/__init__.py @@ -1,5 +1,18 @@ from flask import Blueprint +from flask_login import login_required bp = Blueprint('jobs', __name__) + + +@bp.before_request +@login_required +def before_request(): + ''' + Ensures that the routes in this package can only be visited by users that + are logged in. + ''' + pass + + from . import routes, json_routes diff --git a/app/jobs/json_routes.py b/app/jobs/json_routes.py index 3562470f..7bedc726 100644 --- a/app/jobs/json_routes.py +++ b/app/jobs/json_routes.py @@ -1,5 +1,5 @@ from flask import abort, current_app -from flask_login import current_user, login_required +from flask_login import current_user from threading import Thread import os from app import db @@ -9,7 +9,6 @@ from . import bp @bp.route('/', methods=['DELETE']) -@login_required @content_negotiation(produces='application/json') def delete_job(job_id): def _delete_job(app, job_id): @@ -33,7 +32,6 @@ def delete_job(job_id): @bp.route('//log') -@login_required @admin_required @content_negotiation(produces='application/json') def job_log(job_id): @@ -51,7 +49,6 @@ def job_log(job_id): @bp.route('//restart', methods=['POST']) -@login_required @content_negotiation(produces='application/json') def restart_job(job_id): def _restart_job(app, job_id): diff --git a/app/jobs/routes.py b/app/jobs/routes.py index 5f0d6273..f0480293 100644 --- a/app/jobs/routes.py +++ b/app/jobs/routes.py @@ -6,7 +6,7 @@ from flask import ( url_for ) from flask_breadcrumbs import register_breadcrumb -from flask_login import current_user, login_required +from flask_login import current_user import os from app.models import Job, JobInput, JobResult from . import bp @@ -15,14 +15,12 @@ from .utils import job_dynamic_list_constructor as job_dlc @bp.route('') @register_breadcrumb(bp, '.', 'JMy Jobs') -@login_required def corpora(): return redirect(url_for('main.dashboard', _anchor='jobs')) @bp.route('/') @register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=job_dlc) -@login_required def job(job_id): job = Job.query.get_or_404(job_id) if not (job.user == current_user or current_user.is_administrator()): @@ -35,11 +33,8 @@ def job(job_id): @bp.route('//inputs//download') -@login_required def download_job_input(job_id, job_input_id): - job_input = JobInput.query.get_or_404(job_input_id) - if job_input.job.id != job_id: - abort(404) + job_input = JobInput.query.filter_by(job_id=job_id, id=job_input_id).first_or_404() if not (job_input.job.user == current_user or current_user.is_administrator()): abort(403) return send_from_directory( @@ -52,11 +47,8 @@ def download_job_input(job_id, job_input_id): @bp.route('//results//download') -@login_required def download_job_result(job_id, job_result_id): - job_result = JobResult.query.get_or_404(job_result_id) - if job_result.job.id != job_id: - abort(404) + job_result = JobResult.query.filter_by(job_id=job_id, id=job_result_id).first_or_404() if not (job_result.job.user == current_user or current_user.is_administrator()): abort(403) return send_from_directory( diff --git a/app/main/routes.py b/app/main/routes.py index f5fac68d..cda06da6 100644 --- a/app/main/routes.py +++ b/app/main/routes.py @@ -79,6 +79,7 @@ def terms_of_use(): @bp.route('/social-area') @register_breadcrumb(bp, '.social_area', 'groupSocial Area') +@login_required def social_area(): # corpora = [ # c.to_json_serializeable() for c diff --git a/app/models.py b/app/models.py index bcc030e5..57658074 100644 --- a/app/models.py +++ b/app/models.py @@ -693,7 +693,7 @@ class User(HashidMixin, UserMixin, db.Model): db.session.commit() def can(self, permission): - return self.role.has_permission(permission) + return self.role is not None and self.role.has_permission(permission) def confirm(self, confirmation_token): try: diff --git a/app/services/__init__.py b/app/services/__init__.py index 73c78b59..ba1eb297 100644 --- a/app/services/__init__.py +++ b/app/services/__init__.py @@ -9,4 +9,16 @@ with open(services_file, 'r') as f: SERVICES = yaml.safe_load(f) bp = Blueprint('services', __name__) + + +@bp.before_request +@login_required +def before_request(): + ''' + Ensures that the routes in this package can only be visited by users that + are logged in. + ''' + pass + + from . import routes # noqa diff --git a/app/services/routes.py b/app/services/routes.py index 7ab36384..0a8c2811 100644 --- a/app/services/routes.py +++ b/app/services/routes.py @@ -1,6 +1,6 @@ from flask import abort, current_app, flash, Markup, redirect, render_template, request, url_for from flask_breadcrumbs import register_breadcrumb -from flask_login import current_user, login_required +from flask_login import current_user import requests from app import db, hashids from app.models import ( @@ -21,14 +21,12 @@ from .forms import ( @bp.route('/services') @register_breadcrumb(bp, '.', 'Services') -@login_required def services(): return redirect(url_for('main.dashboard')) @bp.route('/file-setup-pipeline', methods=['GET', 'POST']) @register_breadcrumb(bp, '.file_setup_pipeline', 'File Setup') -@login_required def file_setup_pipeline(): service = 'file-setup-pipeline' service_manifest = SERVICES[service] @@ -70,7 +68,6 @@ def file_setup_pipeline(): @bp.route('/tesseract-ocr-pipeline', methods=['GET', 'POST']) @register_breadcrumb(bp, '.tesseract_ocr_pipeline', 'Tesseract OCR Pipeline') -@login_required def tesseract_ocr_pipeline(): service_name = 'tesseract-ocr-pipeline' service_manifest = SERVICES[service_name] @@ -120,7 +117,6 @@ def tesseract_ocr_pipeline(): @bp.route('/transkribus-htr-pipeline', methods=['GET', 'POST']) @register_breadcrumb(bp, '.transkribus_htr_pipeline', 'Transkribus HTR Pipeline') -@login_required def transkribus_htr_pipeline(): if not current_app.config.get('NOPAQUE_TRANSKRIBUS_ENABLED'): abort(404) @@ -179,7 +175,6 @@ def transkribus_htr_pipeline(): @bp.route('/spacy-nlp-pipeline', methods=['GET', 'POST']) @register_breadcrumb(bp, '.spacy_nlp_pipeline', 'SpaCy NLP Pipeline') -@login_required def spacy_nlp_pipeline(): service = 'spacy-nlp-pipeline' service_manifest = SERVICES[service] @@ -225,7 +220,6 @@ def spacy_nlp_pipeline(): @bp.route('/corpus-analysis') @register_breadcrumb(bp, '.corpus_analysis', 'Corpus Analysis') -@login_required def corpus_analysis(): return render_template( 'services/corpus_analysis.html.j2', diff --git a/app/settings/__init__.py b/app/settings/__init__.py index 56265277..0f3d7815 100644 --- a/app/settings/__init__.py +++ b/app/settings/__init__.py @@ -2,4 +2,16 @@ from flask import Blueprint bp = Blueprint('settings', __name__) + + +@bp.before_request +@login_required +def before_request(): + ''' + Ensures that the routes in this package can only be visited by users that + are logged in. + ''' + pass + + from . import routes diff --git a/app/templates/admin/user.html.j2 b/app/templates/admin/user.html.j2 index 73be0732..82c8723d 100644 --- a/app/templates/admin/user.html.j2 +++ b/app/templates/admin/user.html.j2 @@ -17,7 +17,9 @@ unconfirmed {% endif %}

-

{{ user.about_me if user.about_me }}

+ {% if user.about_me %} +

{{ user.about_me }}

+ {% endif %}
 
diff --git a/app/users/__init__.py b/app/users/__init__.py index a1ed4f2e..46227fca 100644 --- a/app/users/__init__.py +++ b/app/users/__init__.py @@ -2,5 +2,17 @@ from flask import Blueprint bp = Blueprint('users', __name__) + + +@bp.before_request +@login_required +def before_request(): + ''' + Ensures that the routes in this package can only be visited by users that + are logged in. + ''' + pass + + from . import events, json_routes, routes from . import settings diff --git a/app/users/json_routes.py b/app/users/json_routes.py index 571fa78c..b9cbb3e3 100644 --- a/app/users/json_routes.py +++ b/app/users/json_routes.py @@ -1,5 +1,5 @@ from flask import abort, current_app -from flask_login import current_user, login_required, logout_user +from flask_login import current_user, logout_user from threading import Thread from app import db from app.decorators import content_negotiation @@ -8,7 +8,6 @@ from . import bp @bp.route('/', methods=['DELETE']) -@login_required @content_negotiation(produces='application/json') def delete_user(user_id): def _delete_user(app, user_id): diff --git a/app/users/routes.py b/app/users/routes.py index 7b86a8e1..fbb5a609 100644 --- a/app/users/routes.py +++ b/app/users/routes.py @@ -6,23 +6,21 @@ from flask import ( url_for ) from flask_breadcrumbs import register_breadcrumb -from flask_login import current_user, login_required +from flask_login import current_user import os -from app.models import Corpus, User +from app.models import User from . import bp from .utils import user_dynamic_list_constructor as user_dlc @bp.route('') @register_breadcrumb(bp, '.', 'groupUsers') -@login_required def users(): return redirect(url_for('main.social_area', _anchor='users')) @bp.route('/') @register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=user_dlc) -@login_required def user(user_id): user = User.query.get_or_404(user_id) if not (user.is_public or user == current_user or current_user.is_administrator()): @@ -35,7 +33,6 @@ def user(user_id): @bp.route('//avatar') -@login_required def user_avatar(user_id): user = User.query.get_or_404(user_id) if not (user.is_public or user == current_user or current_user.is_administrator()): diff --git a/app/users/settings/json_routes.py b/app/users/settings/json_routes.py index 1d0c4d9e..03f34a22 100644 --- a/app/users/settings/json_routes.py +++ b/app/users/settings/json_routes.py @@ -1,5 +1,5 @@ from flask import abort, request -from flask_login import current_user, login_required +from flask_login import current_user from app import db from app.decorators import content_negotiation from app.models import User, ProfilePrivacySettings @@ -7,7 +7,6 @@ from . import bp @bp.route('//settings/profile-privacy/is-public', methods=['PUT']) -@login_required @content_negotiation(consumes='application/json', produces='application/json') def update_user_profile_privacy_setting_is_public(user_id): user = User.query.get_or_404(user_id) @@ -26,7 +25,6 @@ def update_user_profile_privacy_setting_is_public(user_id): @bp.route('//settings/profile-privacy/', methods=['PUT']) -@login_required @content_negotiation(consumes='application/json', produces='application/json') def update_user_profile_privacy_settings(user_id, profile_privacy_setting_name): user = User.query.get_or_404(user_id) diff --git a/app/users/settings/routes.py b/app/users/settings/routes.py index d921c5c4..68f0a303 100644 --- a/app/users/settings/routes.py +++ b/app/users/settings/routes.py @@ -1,6 +1,6 @@ from flask import abort, flash, g, redirect, render_template, url_for from flask_breadcrumbs import register_breadcrumb -from flask_login import current_user, login_required +from flask_login import current_user from app import db from app.models import Avatar, User from ..utils import user_endpoint_arguments_constructor as user_eac @@ -16,7 +16,6 @@ from .forms import ( @bp.route('//settings', methods=['GET', 'POST']) @register_breadcrumb(bp, '.entity.settings', 'settingsSettings', endpoint_arguments_constructor=user_eac) -@login_required def settings(user_id): user = User.query.get_or_404(user_id) if not (user == current_user or current_user.is_administrator()):