Fix some privacy issues

app/jobs/__init__.py

@@ -1,5 +1,18 @@
 from flask import Blueprint
+from flask_login import login_required
 
 
 bp = Blueprint('jobs', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+    '''
+    Ensures that the routes in this package can only be visited by users that
+    are logged in.
+    '''
+    pass
+
+
 from . import routes, json_routes

app/jobs/json_routes.py

@@ -1,5 +1,5 @@
 from flask import abort, current_app
-from flask_login import current_user, login_required
+from flask_login import current_user
 from threading import Thread
 import os
 from app import db
@@ -9,7 +9,6 @@ from . import bp
 
 
 @bp.route('/<hashid:job_id>', methods=['DELETE'])
-@login_required
 @content_negotiation(produces='application/json')
 def delete_job(job_id):
     def _delete_job(app, job_id):
@@ -33,7 +32,6 @@ def delete_job(job_id):
 
 
 @bp.route('/<hashid:job_id>/log')
-@login_required
 @admin_required
 @content_negotiation(produces='application/json')
 def job_log(job_id):
@@ -51,7 +49,6 @@ def job_log(job_id):
 
 
 @bp.route('/<hashid:job_id>/restart', methods=['POST'])
-@login_required
 @content_negotiation(produces='application/json')
 def restart_job(job_id):
     def _restart_job(app, job_id):

app/jobs/routes.py

@@ -6,7 +6,7 @@ from flask import (
     url_for
 )
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 import os
 from app.models import Job, JobInput, JobResult
 from . import bp
@@ -15,14 +15,12 @@ from .utils import job_dynamic_list_constructor as job_dlc
 
 @bp.route('')
 @register_breadcrumb(bp, '.', '<i class="nopaque-icons left">J</i>My Jobs')
-@login_required
 def corpora():
     return redirect(url_for('main.dashboard', _anchor='jobs'))
 
 
 @bp.route('/<hashid:job_id>')
 @register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=job_dlc)
-@login_required
 def job(job_id):
     job = Job.query.get_or_404(job_id)
     if not (job.user == current_user or current_user.is_administrator()):
@@ -35,11 +33,8 @@ def job(job_id):
 
 
 @bp.route('/<hashid:job_id>/inputs/<hashid:job_input_id>/download')
-@login_required
 def download_job_input(job_id, job_input_id):
-    job_input = JobInput.query.get_or_404(job_input_id)
-    if job_input.job.id != job_id:
-        abort(404)
+    job_input = JobInput.query.filter_by(job_id=job_id, id=job_input_id).first_or_404()
     if not (job_input.job.user == current_user or current_user.is_administrator()):
         abort(403)
     return send_from_directory(
@@ -52,11 +47,8 @@ def download_job_input(job_id, job_input_id):
 
 
 @bp.route('/<hashid:job_id>/results/<hashid:job_result_id>/download')
-@login_required
 def download_job_result(job_id, job_result_id):
-    job_result = JobResult.query.get_or_404(job_result_id)
-    if job_result.job.id != job_id:
-        abort(404)
+    job_result = JobResult.query.filter_by(job_id=job_id, id=job_result_id).first_or_404()
     if not (job_result.job.user == current_user or current_user.is_administrator()):
         abort(403)
     return send_from_directory(