Fix some privacy issues

2025-11-04 04:12:45 +00:00 · 2023-04-11 11:46:33 +02:00
parent 77fc8a42f1
commit 3a2295487c
27 changed files with 102 additions and 79 deletions
--- a/app/corpora/init.py
+++ b/app/corpora/init.py
@@ -1,7 +1,20 @@
 from flask import Blueprint
+from flask_login import login_required


 bp = Blueprint('corpora', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+    '''
+    Ensures that the routes in this package can only be visited by users that
+    are logged in.
+    '''
+    pass
+
+
 from . import cqi_over_socketio, routes, json_routes
 from . import files
 from . import followers
--- a/app/corpora/files/json_routes.py
+++ b/app/corpora/files/json_routes.py
@@ -1,5 +1,4 @@
 from flask import current_app, jsonify
-from flask_login import login_required
 from threading import Thread
 from app import db
 from app.decorators import content_negotiation
@@ -9,7 +8,6 @@ from . import bp


@bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>', methods=['DELETE'])
-@login_required
@corpus_follower_permission_required('REMOVE_CORPUS_FILE')
@content_negotiation(produces='application/json')
 def delete_corpus_file(corpus_id, corpus_file_id):
--- a/app/corpora/files/routes.py
+++ b/app/corpora/files/routes.py
@@ -7,7 +7,6 @@ from flask import (
    url_for
 )
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import login_required
 import os
 from app import db
 from app.models import Corpus, CorpusFile, CorpusStatus
@@ -22,14 +21,12 @@ from .utils import (

@bp.route('/<hashid:corpus_id>/files')
@register_breadcrumb(bp, '.entity.files', 'Files', endpoint_arguments_constructor=corpus_eac)
-@login_required
 def corpus_files(corpus_id):
    return redirect(url_for('.corpus', _anchor='files', corpus_id=corpus_id))


@bp.route('/<hashid:corpus_id>/files/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.entity.files.create', 'Create', endpoint_arguments_constructor=corpus_eac)
-@login_required
@corpus_follower_permission_required('ADD_CORPUS_FILE')
 def create_corpus_file(corpus_id):
    corpus = Corpus.query.get_or_404(corpus_id)
@@ -72,7 +69,6 @@ def create_corpus_file(corpus_id):

@bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.entity.files.entity', '', dynamic_list_constructor=corpus_file_dlc)
-@login_required
@corpus_follower_permission_required('UPDATE_CORPUS_FILE')
 def corpus_file(corpus_id, corpus_file_id):
    corpus_file = CorpusFile.query.filter_by(corpus_id=corpus_id, id=corpus_file_id).first_or_404()
@@ -94,7 +90,6 @@ def corpus_file(corpus_id, corpus_file_id):


@bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>/download')
-@login_required
@corpus_follower_permission_required('VIEW')
 def download_corpus_file(corpus_id, corpus_file_id):
    corpus_file = CorpusFile.query.filter_by(corpus_id=corpus_id, id=corpus_file_id).first_or_404()
--- a/app/corpora/followers/json_routes.py
+++ b/app/corpora/followers/json_routes.py
@@ -1,5 +1,5 @@
 from flask import abort, jsonify, request
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.decorators import content_negotiation
 from app.models import (
@@ -13,7 +13,6 @@ from . import bp


@bp.route('/<hashid:corpus_id>/followers', methods=['POST'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(consumes='application/json', produces='application/json')
 def create_corpus_followers(corpus_id):
@@ -35,7 +34,6 @@ def create_corpus_followers(corpus_id):


@bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>/role', methods=['PUT'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(consumes='application/json', produces='application/json')
 def update_corpus_follower_role(corpus_id, follower_id):
@@ -58,7 +56,6 @@ def update_corpus_follower_role(corpus_id, follower_id):


@bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>', methods=['DELETE'])
-@login_required
@content_negotiation(produces='application/json')
 def delete_corpus_follower(corpus_id, follower_id):
    corpus = Corpus.query.get_or_404(corpus_id)
--- a/app/corpora/json_routes.py
+++ b/app/corpora/json_routes.py
@@ -6,7 +6,7 @@ from flask import (
    request,
    url_for
 )
-from flask_login import current_user, login_required
+from flask_login import current_user
 from threading import Thread
 from .decorators import corpus_follower_permission_required, corpus_owner_or_admin_required
 from app import db, hashids
@@ -16,7 +16,6 @@ from . import bp


@bp.route('/<hashid:corpus_id>', methods=['DELETE'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(produces='application/json')
 def delete_corpus(corpus_id):
@@ -42,7 +41,6 @@ def delete_corpus(corpus_id):


@bp.route('/<hashid:corpus_id>/build', methods=['POST'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(produces='application/json')
 def build_corpus(corpus_id):
@@ -71,7 +69,6 @@ def build_corpus(corpus_id):


@bp.route('/<hashid:corpus_id>/generate-share-link', methods=['POST'])
-@login_required
@corpus_follower_permission_required('GENERATE_SHARE_LINK')
@content_negotiation(consumes='application/json', produces='application/json')
 def generate_corpus_share_link(corpus_id):
@@ -108,7 +105,6 @@ def generate_corpus_share_link(corpus_id):


@bp.route('/<hashid:corpus_id>/is_public', methods=['PUT'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(consumes='application/json', produces='application/json')
 def update_corpus_is_public(corpus_id):
--- a/app/corpora/routes.py
+++ b/app/corpora/routes.py
@@ -1,6 +1,6 @@
 from flask import abort, flash, redirect, render_template, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 from .decorators import corpus_follower_permission_required
 from app import db
 from app.models import (
@@ -19,14 +19,12 @@ from .utils import (

@bp.route('')
@register_breadcrumb(bp, '.', '<i class="nopaque-icons left">I</i>My Corpora')
-@login_required
 def corpora():
    return redirect(url_for('main.dashboard', _anchor='corpora'))


@bp.route('/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.create', 'Create')
-@login_required
 def create_corpus():
    form = CreateCorpusForm()
    if form.validate_on_submit():
@@ -50,7 +48,6 @@ def create_corpus():

@bp.route('/<hashid:corpus_id>')
@register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=corpus_dlc)
-@login_required
 def corpus(corpus_id):
    corpus = Corpus.query.get_or_404(corpus_id)
    corpus_follower_roles = CorpusFollowerRole.query.all()
@@ -77,7 +74,6 @@ def corpus(corpus_id):

@bp.route('/<hashid:corpus_id>/analyse')
@register_breadcrumb(bp, '.entity.analyse', 'Analyse', endpoint_arguments_constructor=corpus_eac)
-@login_required
@corpus_follower_permission_required('VIEW')
 def analyse_corpus(corpus_id):
    corpus = Corpus.query.get_or_404(corpus_id)
@@ -89,7 +85,6 @@ def analyse_corpus(corpus_id):


@bp.route('/<hashid:corpus_id>/follow/<token>')
-@login_required
 def follow_corpus(corpus_id, token):
    corpus = Corpus.query.get_or_404(corpus_id)
    if current_user.follow_corpus_by_token(token):
@@ -101,13 +96,11 @@ def follow_corpus(corpus_id, token):

@bp.route('/import', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.import', 'Import')
-@login_required
 def import_corpus():
    abort(503)


@bp.route('/<hashid:corpus_id>/export')
@register_breadcrumb(bp, '.entity.export', 'Export', endpoint_arguments_constructor=corpus_eac)
-@login_required
 def export_corpus(corpus_id):
    abort(503)