Fix some privacy issues

2025-06-12 00:50:40 +00:00 · 2023-04-11 11:46:33 +02:00
parent 77fc8a42f1
commit 3a2295487c
27 changed files with 102 additions and 79 deletions
--- a/app/contributions/init.py
+++ b/app/contributions/init.py
@ -1,7 +1,20 @@
 from flask import Blueprint
+from flask_login import login_required


 bp = Blueprint('contributions', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+    '''
+    Ensures that the routes in this package can only be visited by users that
+    are logged in.
+    '''
+    pass
+
+
 from . import routes
 from . import spacy_nlp_pipeline_models
 from . import tesseract_ocr_pipeline_models
--- a/app/contributions/routes.py
+++ b/app/contributions/routes.py
@ -1,11 +1,9 @@
 from flask import redirect, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import login_required
 from . import bp


@bp.route('')
@register_breadcrumb(bp, '.', '<i class="material-icons left">new_label</i>My Contributions')
-@login_required
 def contributions():
    return redirect(url_for('main.dashboard', _anchor='contributions'))
--- a/app/contributions/spacy_nlp_pipeline_models/json_routes.py
+++ b/app/contributions/spacy_nlp_pipeline_models/json_routes.py
@ -1,5 +1,5 @@
 from flask import abort, current_app, request
-from flask_login import login_required, current_user
+from flask_login import current_user
 from threading import Thread
 from app import db
 from app.decorators import content_negotiation, permission_required
@ -8,7 +8,6 @@ from .. import bp


@bp.route('/spacy-nlp-pipeline-models/<hashid:spacy_nlp_pipeline_model_id>', methods=['DELETE'])
-@login_required
@content_negotiation(produces='application/json')
 def delete_spacy_model(spacy_nlp_pipeline_model_id):
    def _delete_spacy_model(app, spacy_nlp_pipeline_model_id):
@ -33,7 +32,6 @@ def delete_spacy_model(spacy_nlp_pipeline_model_id):


@bp.route('/spacy-nlp-pipeline-models/<hashid:spacy_nlp_pipeline_model_id>/is_public', methods=['PUT'])
-@login_required
@permission_required('CONTRIBUTE')
@content_negotiation(consumes='application/json', produces='application/json')
 def update_spacy_nlp_pipeline_model_is_public(spacy_nlp_pipeline_model_id):
--- a/app/contributions/spacy_nlp_pipeline_models/routes.py
+++ b/app/contributions/spacy_nlp_pipeline_models/routes.py
@ -1,6 +1,6 @@
 from flask import abort, flash, redirect, render_template, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.models import SpaCyNLPPipelineModel
 from . import bp
@ -15,7 +15,6 @@ from .utils import (

@bp.route('/spacy-nlp-pipeline-models')
@register_breadcrumb(bp, '.spacy_nlp_pipeline_models', 'SpaCy NLP Pipeline Models')
-@login_required
 def spacy_nlp_pipeline_models():
    return render_template(
        'contributions/spacy_nlp_pipeline_models/spacy_nlp_pipeline_models.html.j2',
@ -25,7 +24,6 @@ def spacy_nlp_pipeline_models():

@bp.route('/spacy-nlp-pipeline-models/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.spacy_nlp_pipeline_models.create', 'Create')
-@login_required
 def create_spacy_nlp_pipeline_model():
    form = CreateSpaCyNLPPipelineModelForm()
    if form.is_submitted():
@ -60,9 +58,10 @@ def create_spacy_nlp_pipeline_model():

@bp.route('/spacy-nlp-pipeline-models/<hashid:spacy_nlp_pipeline_model_id>', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.spacy_nlp_pipeline_models.entity', '', dynamic_list_constructor=spacy_nlp_pipeline_model_dlc)
-@login_required
 def spacy_nlp_pipeline_model(spacy_nlp_pipeline_model_id):
    snpm = SpaCyNLPPipelineModel.query.get_or_404(spacy_nlp_pipeline_model_id)
+    if not (snpm.user == current_user or current_user.is_administrator()):
+        abort(403)
    form = UpdateSpaCyNLPPipelineModelForm(data=snpm.to_json_serializeable())
    if form.validate_on_submit():
        form.populate_obj(snpm)
--- a/app/contributions/tesseract_ocr_pipeline_models/json_routes.py
+++ b/app/contributions/tesseract_ocr_pipeline_models/json_routes.py
@ -1,5 +1,5 @@
 from flask import abort, current_app, request
-from flask_login import login_required, current_user
+from flask_login import current_user
 from threading import Thread
 from app import db
 from app.decorators import content_negotiation, permission_required
@ -8,7 +8,6 @@ from . import bp


@bp.route('/tesseract-ocr-pipeline-models/<hashid:tesseract_ocr_pipeline_model_id>', methods=['DELETE'])
-@login_required
@content_negotiation(produces='application/json')
 def delete_tesseract_model(tesseract_ocr_pipeline_model_id):
    def _delete_tesseract_ocr_pipeline_model(app, tesseract_ocr_pipeline_model_id):
@ -33,7 +32,6 @@ def delete_tesseract_model(tesseract_ocr_pipeline_model_id):


@bp.route('/tesseract-ocr-pipeline-models/<hashid:tesseract_ocr_pipeline_model_id>/is_public', methods=['PUT'])
-@login_required
@permission_required('CONTRIBUTE')
@content_negotiation(consumes='application/json', produces='application/json')
 def update_tesseract_ocr_pipeline_model_is_public(tesseract_ocr_pipeline_model_id):
--- a/app/contributions/tesseract_ocr_pipeline_models/routes.py
+++ b/app/contributions/tesseract_ocr_pipeline_models/routes.py
@ -1,6 +1,6 @@
-from flask import abort, flash, redirect, render_template, request, url_for
+from flask import abort, flash, redirect, render_template, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.models import TesseractOCRPipelineModel
 from . import bp
@ -15,7 +15,6 @@ from .utils import (

@bp.route('/tesseract-ocr-pipeline-models')
@register_breadcrumb(bp, '.tesseract_ocr_pipeline_models', 'Tesseract OCR Pipeline Models')
-@login_required
 def tesseract_ocr_pipeline_models():
    return render_template(
        'contributions/tesseract_ocr_pipeline_models/tesseract_ocr_pipeline_models.html.j2',
@ -25,7 +24,6 @@ def tesseract_ocr_pipeline_models():

@bp.route('/tesseract-ocr-pipeline-models/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.tesseract_ocr_pipeline_models.create', 'Create')
-@login_required
 def create_tesseract_ocr_pipeline_model():
    form = CreateTesseractOCRPipelineModelForm()
    if form.is_submitted():
@ -59,9 +57,10 @@ def create_tesseract_ocr_pipeline_model():

@bp.route('/tesseract-ocr-pipeline-models/<hashid:tesseract_ocr_pipeline_model_id>', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.tesseract_ocr_pipeline_models.entity', '', dynamic_list_constructor=tesseract_ocr_pipeline_model_dlc)
-@login_required
 def tesseract_ocr_pipeline_model(tesseract_ocr_pipeline_model_id):
    topm = TesseractOCRPipelineModel.query.get_or_404(tesseract_ocr_pipeline_model_id)
+    if not (topm.user == current_user or current_user.is_administrator()):
+        abort(403)
    form = UpdateTesseractOCRPipelineModelForm(data=topm.to_json_serializeable())
    if form.validate_on_submit():
        form.populate_obj(topm)
--- a/app/contributions/transkribus_htr_pipeline_models/routes.py
+++ b/app/contributions/transkribus_htr_pipeline_models/routes.py
@ -1,9 +1,7 @@
 from flask import abort
-from flask_login import login_required
 from . import bp


@bp.route('/transkribus_htr_pipeline_models')
-@login_required
 def transkribus_htr_pipeline_models():
    return abort(503)