Fix some privacy issues

2025-11-04 04:12:45 +00:00 · 2023-04-11 11:46:33 +02:00
parent 77fc8a42f1
commit 3a2295487c
27 changed files with 102 additions and 79 deletions
--- a/app/contributions/init.py
+++ b/app/contributions/init.py
@@ -1,7 +1,20 @@
 from flask import Blueprint
 from flask_login import login_required
 bp = Blueprint('contributions', __name__)
@bp.before_request
@login_required
 def before_request():
    '''
    Ensures that the routes in this package can only be visited by users that
    are logged in.
    '''
    pass
 from . import routes
 from . import spacy_nlp_pipeline_models
 from . import tesseract_ocr_pipeline_models
--- a/app/contributions/routes.py
+++ b/app/contributions/routes.py
@@ -1,11 +1,9 @@
 from flask import redirect, url_for
 from flask_breadcrumbs import register_breadcrumb
 from flask_login import login_required
 from . import bp
@bp.route('')
@register_breadcrumb(bp, '.', '<i class="material-icons left">new_label</i>My Contributions')
@login_required
 def contributions():
    return redirect(url_for('main.dashboard', _anchor='contributions'))
--- a/app/contributions/spacy_nlp_pipeline_models/json_routes.py
+++ b/app/contributions/spacy_nlp_pipeline_models/json_routes.py
@@ -1,5 +1,5 @@
 from flask import abort, current_app, request
-from flask_login import login_required, current_user
+from flask_login import current_user
 from threading import Thread
 from app import db
 from app.decorators import content_negotiation, permission_required
@@ -8,7 +8,6 @@ from .. import bp
@bp.route('/spacy-nlp-pipeline-models/<hashid:spacy_nlp_pipeline_model_id>', methods=['DELETE'])
@login_required
@content_negotiation(produces='application/json')
 def delete_spacy_model(spacy_nlp_pipeline_model_id):
    def _delete_spacy_model(app, spacy_nlp_pipeline_model_id):
@@ -33,7 +32,6 @@ def delete_spacy_model(spacy_nlp_pipeline_model_id):
@bp.route('/spacy-nlp-pipeline-models/<hashid:spacy_nlp_pipeline_model_id>/is_public', methods=['PUT'])
@login_required
@permission_required('CONTRIBUTE')
@content_negotiation(consumes='application/json', produces='application/json')
 def update_spacy_nlp_pipeline_model_is_public(spacy_nlp_pipeline_model_id):
--- a/app/contributions/spacy_nlp_pipeline_models/routes.py
+++ b/app/contributions/spacy_nlp_pipeline_models/routes.py
@@ -1,6 +1,6 @@
 from flask import abort, flash, redirect, render_template, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.models import SpaCyNLPPipelineModel
 from . import bp
@@ -15,7 +15,6 @@ from .utils import (
@bp.route('/spacy-nlp-pipeline-models')
@register_breadcrumb(bp, '.spacy_nlp_pipeline_models', 'SpaCy NLP Pipeline Models')
@login_required
 def spacy_nlp_pipeline_models():
    return render_template(
        'contributions/spacy_nlp_pipeline_models/spacy_nlp_pipeline_models.html.j2',
@@ -25,7 +24,6 @@ def spacy_nlp_pipeline_models():
@bp.route('/spacy-nlp-pipeline-models/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.spacy_nlp_pipeline_models.create', 'Create')
@login_required
 def create_spacy_nlp_pipeline_model():
    form = CreateSpaCyNLPPipelineModelForm()
    if form.is_submitted():
@@ -60,9 +58,10 @@ def create_spacy_nlp_pipeline_model():
@bp.route('/spacy-nlp-pipeline-models/<hashid:spacy_nlp_pipeline_model_id>', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.spacy_nlp_pipeline_models.entity', '', dynamic_list_constructor=spacy_nlp_pipeline_model_dlc)
@login_required
 def spacy_nlp_pipeline_model(spacy_nlp_pipeline_model_id):
    snpm = SpaCyNLPPipelineModel.query.get_or_404(spacy_nlp_pipeline_model_id)
    if not (snpm.user == current_user or current_user.is_administrator()):
        abort(403)
    form = UpdateSpaCyNLPPipelineModelForm(data=snpm.to_json_serializeable())
    if form.validate_on_submit():
        form.populate_obj(snpm)
--- a/app/contributions/tesseract_ocr_pipeline_models/json_routes.py
+++ b/app/contributions/tesseract_ocr_pipeline_models/json_routes.py
@@ -1,5 +1,5 @@
 from flask import abort, current_app, request
-from flask_login import login_required, current_user
+from flask_login import current_user
 from threading import Thread
 from app import db
 from app.decorators import content_negotiation, permission_required
@@ -8,7 +8,6 @@ from . import bp
@bp.route('/tesseract-ocr-pipeline-models/<hashid:tesseract_ocr_pipeline_model_id>', methods=['DELETE'])
@login_required
@content_negotiation(produces='application/json')
 def delete_tesseract_model(tesseract_ocr_pipeline_model_id):
    def _delete_tesseract_ocr_pipeline_model(app, tesseract_ocr_pipeline_model_id):
@@ -33,7 +32,6 @@ def delete_tesseract_model(tesseract_ocr_pipeline_model_id):
@bp.route('/tesseract-ocr-pipeline-models/<hashid:tesseract_ocr_pipeline_model_id>/is_public', methods=['PUT'])
@login_required
@permission_required('CONTRIBUTE')
@content_negotiation(consumes='application/json', produces='application/json')
 def update_tesseract_ocr_pipeline_model_is_public(tesseract_ocr_pipeline_model_id):
--- a/app/contributions/tesseract_ocr_pipeline_models/routes.py
+++ b/app/contributions/tesseract_ocr_pipeline_models/routes.py
@@ -1,6 +1,6 @@
-from flask import abort, flash, redirect, render_template, request, url_for
+from flask import abort, flash, redirect, render_template, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.models import TesseractOCRPipelineModel
 from . import bp
@@ -15,7 +15,6 @@ from .utils import (
@bp.route('/tesseract-ocr-pipeline-models')
@register_breadcrumb(bp, '.tesseract_ocr_pipeline_models', 'Tesseract OCR Pipeline Models')
@login_required
 def tesseract_ocr_pipeline_models():
    return render_template(
        'contributions/tesseract_ocr_pipeline_models/tesseract_ocr_pipeline_models.html.j2',
@@ -25,7 +24,6 @@ def tesseract_ocr_pipeline_models():
@bp.route('/tesseract-ocr-pipeline-models/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.tesseract_ocr_pipeline_models.create', 'Create')
@login_required
 def create_tesseract_ocr_pipeline_model():
    form = CreateTesseractOCRPipelineModelForm()
    if form.is_submitted():
@@ -59,9 +57,10 @@ def create_tesseract_ocr_pipeline_model():
@bp.route('/tesseract-ocr-pipeline-models/<hashid:tesseract_ocr_pipeline_model_id>', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.tesseract_ocr_pipeline_models.entity', '', dynamic_list_constructor=tesseract_ocr_pipeline_model_dlc)
@login_required
 def tesseract_ocr_pipeline_model(tesseract_ocr_pipeline_model_id):
    topm = TesseractOCRPipelineModel.query.get_or_404(tesseract_ocr_pipeline_model_id)
    if not (topm.user == current_user or current_user.is_administrator()):
        abort(403)
    form = UpdateTesseractOCRPipelineModelForm(data=topm.to_json_serializeable())
    if form.validate_on_submit():
        form.populate_obj(topm)
--- a/app/contributions/transkribus_htr_pipeline_models/routes.py
+++ b/app/contributions/transkribus_htr_pipeline_models/routes.py
@@ -1,9 +1,7 @@
 from flask import abort
 from flask_login import login_required
 from . import bp
@bp.route('/transkribus_htr_pipeline_models')
@login_required
 def transkribus_htr_pipeline_models():
    return abort(503)
--- a/app/corpora/init.py
+++ b/app/corpora/init.py
@@ -1,7 +1,20 @@
 from flask import Blueprint
 from flask_login import login_required
 bp = Blueprint('corpora', __name__)
@bp.before_request
@login_required
 def before_request():
    '''
    Ensures that the routes in this package can only be visited by users that
    are logged in.
    '''
    pass
 from . import cqi_over_socketio, routes, json_routes
 from . import files
 from . import followers
--- a/app/corpora/files/json_routes.py
+++ b/app/corpora/files/json_routes.py
@@ -1,5 +1,4 @@
 from flask import current_app, jsonify
 from flask_login import login_required
 from threading import Thread
 from app import db
 from app.decorators import content_negotiation
@@ -9,7 +8,6 @@ from . import bp
@bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>', methods=['DELETE'])
@login_required
@corpus_follower_permission_required('REMOVE_CORPUS_FILE')
@content_negotiation(produces='application/json')
 def delete_corpus_file(corpus_id, corpus_file_id):
--- a/app/corpora/files/routes.py
+++ b/app/corpora/files/routes.py
@@ -7,7 +7,6 @@ from flask import (
    url_for
 )
 from flask_breadcrumbs import register_breadcrumb
 from flask_login import login_required
 import os
 from app import db
 from app.models import Corpus, CorpusFile, CorpusStatus
@@ -22,14 +21,12 @@ from .utils import (
@bp.route('/<hashid:corpus_id>/files')
@register_breadcrumb(bp, '.entity.files', 'Files', endpoint_arguments_constructor=corpus_eac)
@login_required
 def corpus_files(corpus_id):
    return redirect(url_for('.corpus', _anchor='files', corpus_id=corpus_id))
@bp.route('/<hashid:corpus_id>/files/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.entity.files.create', 'Create', endpoint_arguments_constructor=corpus_eac)
@login_required
@corpus_follower_permission_required('ADD_CORPUS_FILE')
 def create_corpus_file(corpus_id):
    corpus = Corpus.query.get_or_404(corpus_id)
@@ -72,7 +69,6 @@ def create_corpus_file(corpus_id):
@bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.entity.files.entity', '', dynamic_list_constructor=corpus_file_dlc)
@login_required
@corpus_follower_permission_required('UPDATE_CORPUS_FILE')
 def corpus_file(corpus_id, corpus_file_id):
    corpus_file = CorpusFile.query.filter_by(corpus_id=corpus_id, id=corpus_file_id).first_or_404()
@@ -94,7 +90,6 @@ def corpus_file(corpus_id, corpus_file_id):
@bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>/download')
@login_required
@corpus_follower_permission_required('VIEW')
 def download_corpus_file(corpus_id, corpus_file_id):
    corpus_file = CorpusFile.query.filter_by(corpus_id=corpus_id, id=corpus_file_id).first_or_404()
--- a/app/corpora/followers/json_routes.py
+++ b/app/corpora/followers/json_routes.py
@@ -1,5 +1,5 @@
 from flask import abort, jsonify, request
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.decorators import content_negotiation
 from app.models import (
@@ -13,7 +13,6 @@ from . import bp
@bp.route('/<hashid:corpus_id>/followers', methods=['POST'])
@login_required
@corpus_owner_or_admin_required
@content_negotiation(consumes='application/json', produces='application/json')
 def create_corpus_followers(corpus_id):
@@ -35,7 +34,6 @@ def create_corpus_followers(corpus_id):
@bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>/role', methods=['PUT'])
@login_required
@corpus_owner_or_admin_required
@content_negotiation(consumes='application/json', produces='application/json')
 def update_corpus_follower_role(corpus_id, follower_id):
@@ -58,7 +56,6 @@ def update_corpus_follower_role(corpus_id, follower_id):
@bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>', methods=['DELETE'])
@login_required
@content_negotiation(produces='application/json')
 def delete_corpus_follower(corpus_id, follower_id):
    corpus = Corpus.query.get_or_404(corpus_id)
--- a/app/corpora/json_routes.py
+++ b/app/corpora/json_routes.py
@@ -6,7 +6,7 @@ from flask import (
    request,
    url_for
 )
-from flask_login import current_user, login_required
+from flask_login import current_user
 from threading import Thread
 from .decorators import corpus_follower_permission_required, corpus_owner_or_admin_required
 from app import db, hashids
@@ -16,7 +16,6 @@ from . import bp
@bp.route('/<hashid:corpus_id>', methods=['DELETE'])
@login_required
@corpus_owner_or_admin_required
@content_negotiation(produces='application/json')
 def delete_corpus(corpus_id):
@@ -42,7 +41,6 @@ def delete_corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/build', methods=['POST'])
@login_required
@corpus_owner_or_admin_required
@content_negotiation(produces='application/json')
 def build_corpus(corpus_id):
@@ -71,7 +69,6 @@ def build_corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/generate-share-link', methods=['POST'])
@login_required
@corpus_follower_permission_required('GENERATE_SHARE_LINK')
@content_negotiation(consumes='application/json', produces='application/json')
 def generate_corpus_share_link(corpus_id):
@@ -108,7 +105,6 @@ def generate_corpus_share_link(corpus_id):
@bp.route('/<hashid:corpus_id>/is_public', methods=['PUT'])
@login_required
@corpus_owner_or_admin_required
@content_negotiation(consumes='application/json', produces='application/json')
 def update_corpus_is_public(corpus_id):
--- a/app/corpora/routes.py
+++ b/app/corpora/routes.py
@@ -1,6 +1,6 @@
 from flask import abort, flash, redirect, render_template, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 from .decorators import corpus_follower_permission_required
 from app import db
 from app.models import (
@@ -19,14 +19,12 @@ from .utils import (
@bp.route('')
@register_breadcrumb(bp, '.', '<i class="nopaque-icons left">I</i>My Corpora')
@login_required
 def corpora():
    return redirect(url_for('main.dashboard', _anchor='corpora'))
@bp.route('/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.create', 'Create')
@login_required
 def create_corpus():
    form = CreateCorpusForm()
    if form.validate_on_submit():
@@ -50,7 +48,6 @@ def create_corpus():
@bp.route('/<hashid:corpus_id>')
@register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=corpus_dlc)
@login_required
 def corpus(corpus_id):
    corpus = Corpus.query.get_or_404(corpus_id)
    corpus_follower_roles = CorpusFollowerRole.query.all()
@@ -77,7 +74,6 @@ def corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/analyse')
@register_breadcrumb(bp, '.entity.analyse', 'Analyse', endpoint_arguments_constructor=corpus_eac)
@login_required
@corpus_follower_permission_required('VIEW')
 def analyse_corpus(corpus_id):
    corpus = Corpus.query.get_or_404(corpus_id)
@@ -89,7 +85,6 @@ def analyse_corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/follow/<token>')
@login_required
 def follow_corpus(corpus_id, token):
    corpus = Corpus.query.get_or_404(corpus_id)
    if current_user.follow_corpus_by_token(token):
@@ -101,13 +96,11 @@ def follow_corpus(corpus_id, token):
@bp.route('/import', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.import', 'Import')
@login_required
 def import_corpus():
    abort(503)
@bp.route('/<hashid:corpus_id>/export')
@register_breadcrumb(bp, '.entity.export', 'Export', endpoint_arguments_constructor=corpus_eac)
@login_required
 def export_corpus(corpus_id):
    abort(503)
--- a/app/jobs/init.py
+++ b/app/jobs/init.py
@@ -1,5 +1,18 @@
 from flask import Blueprint
 from flask_login import login_required
 bp = Blueprint('jobs', __name__)
@bp.before_request
@login_required
 def before_request():
    '''
    Ensures that the routes in this package can only be visited by users that
    are logged in.
    '''
    pass
 from . import routes, json_routes
--- a/app/jobs/json_routes.py
+++ b/app/jobs/json_routes.py
@@ -1,5 +1,5 @@
 from flask import abort, current_app
-from flask_login import current_user, login_required
+from flask_login import current_user
 from threading import Thread
 import os
 from app import db
@@ -9,7 +9,6 @@ from . import bp
@bp.route('/<hashid:job_id>', methods=['DELETE'])
@login_required
@content_negotiation(produces='application/json')
 def delete_job(job_id):
    def _delete_job(app, job_id):
@@ -33,7 +32,6 @@ def delete_job(job_id):
@bp.route('/<hashid:job_id>/log')
@login_required
@admin_required
@content_negotiation(produces='application/json')
 def job_log(job_id):
@@ -51,7 +49,6 @@ def job_log(job_id):
@bp.route('/<hashid:job_id>/restart', methods=['POST'])
@login_required
@content_negotiation(produces='application/json')
 def restart_job(job_id):
    def _restart_job(app, job_id):
--- a/app/jobs/routes.py
+++ b/app/jobs/routes.py
@@ -6,7 +6,7 @@ from flask import (
    url_for
 )
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 import os
 from app.models import Job, JobInput, JobResult
 from . import bp
@@ -15,14 +15,12 @@ from .utils import job_dynamic_list_constructor as job_dlc
@bp.route('')
@register_breadcrumb(bp, '.', '<i class="nopaque-icons left">J</i>My Jobs')
@login_required
 def corpora():
    return redirect(url_for('main.dashboard', _anchor='jobs'))
@bp.route('/<hashid:job_id>')
@register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=job_dlc)
@login_required
 def job(job_id):
    job = Job.query.get_or_404(job_id)
    if not (job.user == current_user or current_user.is_administrator()):
@@ -35,11 +33,8 @@ def job(job_id):
@bp.route('/<hashid:job_id>/inputs/<hashid:job_input_id>/download')
@login_required
 def download_job_input(job_id, job_input_id):
-    job_input = JobInput.query.get_or_404(job_input_id)
+    job_input = JobInput.query.filter_by(job_id=job_id, id=job_input_id).first_or_404()
    if job_input.job.id != job_id:
        abort(404)
    if not (job_input.job.user == current_user or current_user.is_administrator()):
        abort(403)
    return send_from_directory(
@@ -52,11 +47,8 @@ def download_job_input(job_id, job_input_id):
@bp.route('/<hashid:job_id>/results/<hashid:job_result_id>/download')
@login_required
 def download_job_result(job_id, job_result_id):
-    job_result = JobResult.query.get_or_404(job_result_id)
+    job_result = JobResult.query.filter_by(job_id=job_id, id=job_result_id).first_or_404()
    if job_result.job.id != job_id:
        abort(404)
    if not (job_result.job.user == current_user or current_user.is_administrator()):
        abort(403)
    return send_from_directory(
--- a/app/main/routes.py
+++ b/app/main/routes.py
@@ -79,6 +79,7 @@ def terms_of_use():
@bp.route('/social-area')
@register_breadcrumb(bp, '.social_area', '<i class="material-icons left">group</i>Social Area')
@login_required
 def social_area():
    # corpora = [
    #     c.to_json_serializeable() for c
--- a/app/models.py
+++ b/app/models.py
@@ -693,7 +693,7 @@ class User(HashidMixin, UserMixin, db.Model):
            db.session.commit()
    def can(self, permission):
-        return self.role.has_permission(permission)
+        return self.role is not None and self.role.has_permission(permission)
    def confirm(self, confirmation_token):
        try:
--- a/app/services/init.py
+++ b/app/services/init.py
@@ -9,4 +9,16 @@ with open(services_file, 'r') as f:
    SERVICES = yaml.safe_load(f)
 bp = Blueprint('services', __name__)
@bp.before_request
@login_required
 def before_request():
    '''
    Ensures that the routes in this package can only be visited by users that
    are logged in.
    '''
    pass
 from . import routes  # noqa
--- a/app/services/routes.py
+++ b/app/services/routes.py
@@ -1,6 +1,6 @@
 from flask import abort, current_app, flash, Markup, redirect, render_template, request, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 import requests
 from app import db, hashids
 from app.models import (
@@ -21,14 +21,12 @@ from .forms import (
@bp.route('/services')
@register_breadcrumb(bp, '.', 'Services')
@login_required
 def services():
    return redirect(url_for('main.dashboard'))
@bp.route('/file-setup-pipeline', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.file_setup_pipeline', '<i class="nopaque-icons service-icons left" data-service="file-setup-pipeline"></i>File Setup')
@login_required
 def file_setup_pipeline():
    service = 'file-setup-pipeline'
    service_manifest = SERVICES[service]
@@ -70,7 +68,6 @@ def file_setup_pipeline():
@bp.route('/tesseract-ocr-pipeline', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.tesseract_ocr_pipeline', '<i class="nopaque-icons service-icons left" data-service="tesseract-ocr-pipeline"></i>Tesseract OCR Pipeline')
@login_required
 def tesseract_ocr_pipeline():
    service_name = 'tesseract-ocr-pipeline'
    service_manifest = SERVICES[service_name]
@@ -120,7 +117,6 @@ def tesseract_ocr_pipeline():
@bp.route('/transkribus-htr-pipeline', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.transkribus_htr_pipeline', '<i class="nopaque-icons service-icons left" data-service="transkribus-htr-pipeline"></i>Transkribus HTR Pipeline')
@login_required
 def transkribus_htr_pipeline():
    if not current_app.config.get('NOPAQUE_TRANSKRIBUS_ENABLED'):
        abort(404)
@@ -179,7 +175,6 @@ def transkribus_htr_pipeline():
@bp.route('/spacy-nlp-pipeline', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.spacy_nlp_pipeline', '<i class="nopaque-icons service-icons left" data-service="spacy-nlp-pipeline"></i>SpaCy NLP Pipeline')
@login_required
 def spacy_nlp_pipeline():
    service = 'spacy-nlp-pipeline'
    service_manifest = SERVICES[service]
@@ -225,7 +220,6 @@ def spacy_nlp_pipeline():
@bp.route('/corpus-analysis')
@register_breadcrumb(bp, '.corpus_analysis', '<i class="nopaque-icons service-icons left" data-service="corpus-analysis"></i>Corpus Analysis')
@login_required
 def corpus_analysis():
    return render_template(
        'services/corpus_analysis.html.j2',
--- a/app/settings/init.py
+++ b/app/settings/init.py
@@ -2,4 +2,16 @@ from flask import Blueprint
 bp = Blueprint('settings', __name__)
@bp.before_request
@login_required
 def before_request():
    '''
    Ensures that the routes in this package can only be visited by users that
    are logged in.
    '''
    pass
 from . import routes
--- a/app/templates/admin/user.html.j2
+++ b/app/templates/admin/user.html.j2
@@ -17,7 +17,9 @@
        <span class="chip white-text" id="user-confirmed-chip" style="background-color: #f44336;">unconfirmed</span>
        {% endif %}
      </p>
-      <p>{{ user.about_me if user.about_me }}</p>
+      {% if user.about_me %}
      <p>{{ user.about_me }}</p>
      {% endif %}
    </div>
    <div class="col s12 hide-on-med-and-down">&nbsp;</div>
--- a/app/users/init.py
+++ b/app/users/init.py
@@ -2,5 +2,17 @@ from flask import Blueprint
 bp = Blueprint('users', __name__)
@bp.before_request
@login_required
 def before_request():
    '''
    Ensures that the routes in this package can only be visited by users that
    are logged in.
    '''
    pass
 from . import events, json_routes, routes
 from . import settings
--- a/app/users/json_routes.py
+++ b/app/users/json_routes.py
@@ -1,5 +1,5 @@
 from flask import abort, current_app
-from flask_login import current_user, login_required, logout_user
+from flask_login import current_user, logout_user
 from threading import Thread
 from app import db
 from app.decorators import content_negotiation
@@ -8,7 +8,6 @@ from . import bp
@bp.route('/<hashid:user_id>', methods=['DELETE'])
@login_required
@content_negotiation(produces='application/json')
 def delete_user(user_id):
    def _delete_user(app, user_id):
--- a/app/users/routes.py
+++ b/app/users/routes.py
@@ -6,23 +6,21 @@ from flask import (
    url_for
 )
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 import os
-from app.models import Corpus, User
+from app.models import User
 from . import bp
 from .utils import user_dynamic_list_constructor as user_dlc
@bp.route('')
@register_breadcrumb(bp, '.', '<i class="material-icons left">group</i>Users')
@login_required
 def users():
    return redirect(url_for('main.social_area', _anchor='users'))
@bp.route('/<hashid:user_id>')
@register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=user_dlc)
@login_required
 def user(user_id):
    user = User.query.get_or_404(user_id)
    if not (user.is_public or user == current_user or current_user.is_administrator()):
@@ -35,7 +33,6 @@ def user(user_id):
@bp.route('/<hashid:user_id>/avatar')
@login_required
 def user_avatar(user_id):
    user = User.query.get_or_404(user_id)
    if not (user.is_public or user == current_user or current_user.is_administrator()):
--- a/app/users/settings/json_routes.py
+++ b/app/users/settings/json_routes.py
@@ -1,5 +1,5 @@
 from flask import abort, request
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.decorators import content_negotiation
 from app.models import User, ProfilePrivacySettings
@@ -7,7 +7,6 @@ from . import bp
@bp.route('/<hashid:user_id>/settings/profile-privacy/is-public', methods=['PUT'])
@login_required
@content_negotiation(consumes='application/json', produces='application/json')
 def update_user_profile_privacy_setting_is_public(user_id):
    user = User.query.get_or_404(user_id)
@@ -26,7 +25,6 @@ def update_user_profile_privacy_setting_is_public(user_id):
@bp.route('/<hashid:user_id>/settings/profile-privacy/<string:profile_privacy_setting_name>', methods=['PUT'])
@login_required
@content_negotiation(consumes='application/json', produces='application/json')
 def update_user_profile_privacy_settings(user_id, profile_privacy_setting_name):
    user = User.query.get_or_404(user_id)
--- a/app/users/settings/routes.py
+++ b/app/users/settings/routes.py
@@ -1,6 +1,6 @@
 from flask import abort, flash, g, redirect, render_template, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.models import Avatar, User
 from ..utils import user_endpoint_arguments_constructor as user_eac
@@ -16,7 +16,6 @@ from .forms import (
@bp.route('/<hashid:user_id>/settings', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.entity.settings', '<i class="material-icons left">settings</i>Settings', endpoint_arguments_constructor=user_eac)
@login_required
 def settings(user_id):
    user = User.query.get_or_404(user_id)
    if not (user == current_user or current_user.is_administrator()):