From 1c0d26d0f9b19cd4304ff44c8aed57e32133dbf4 Mon Sep 17 00:00:00 2001 From: Benjamin Moody Date: Mon, 6 May 2024 11:11:29 -0400 Subject: [PATCH 1/7] new_project_version: handle nonexistent project slug. --- physionet-django/project/views.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/physionet-django/project/views.py b/physionet-django/project/views.py index a347062b5..d9d933636 100644 --- a/physionet-django/project/views.py +++ b/physionet-django/project/views.py @@ -367,6 +367,8 @@ def new_project_version(request, project_slug): previous_projects = PublishedProject.objects.filter( slug=project_slug).order_by('-version_order') latest_project = previous_projects.first() + if latest_project is None: + raise Http404() # Only submitting author can make new. Also can only have one new version # of this project out at a time. From b24d540643457f6e9df2ae4ec97faf4b15026f6d Mon Sep 17 00:00:00 2001 From: Benjamin Moody Date: Mon, 6 May 2024 11:13:48 -0400 Subject: [PATCH 2/7] edit_affiliation: return 404 for missing query parameter. --- physionet-django/project/views.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/physionet-django/project/views.py b/physionet-django/project/views.py index d9d933636..21e4a7524 100644 --- a/physionet-django/project/views.py +++ b/physionet-django/project/views.py @@ -538,6 +538,8 @@ def edit_affiliation(request, project_slug, **kwargs): affiliation.delete() else: raise Http404() + else: + raise Http404() AffiliationFormSet = inlineformset_factory(parent_model=Author, model=Affiliation, fields=('name',), extra=extra_forms, From 3f1128e37b4d107ab7649c190deaef77b6fe5691 Mon Sep 17 00:00:00 2001 From: Benjamin Moody Date: Mon, 6 May 2024 11:17:43 -0400 Subject: [PATCH 3/7] edit_content_item: return 404 for missing/invalid query parameters. --- physionet-django/project/views.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/physionet-django/project/views.py b/physionet-django/project/views.py index 21e4a7524..506bac4e3 100644 --- a/physionet-django/project/views.py +++ b/physionet-django/project/views.py @@ -705,16 +705,24 @@ def edit_content_item(request, project_slug): # Reload the formset with the first empty form if request.method == 'GET' and 'add_first' in request.GET: - item = request.GET['item'] - model = model_dict[item] + try: + item = request.GET['item'] + model = model_dict[item] + except KeyError: + raise Http404() extra_forms = 1 # Remove an object elif request.method == 'POST' and 'remove_id' in request.POST: - item = request.POST['item'] - model = model_dict[item] + try: + item = request.POST['item'] + model = model_dict[item] + item_id = int(request.POST['remove_id']) + except (KeyError, ValueError): + raise Http404() extra_forms = 0 - item_id = int(request.POST['remove_id']) model.objects.filter(id=item_id).delete() + else: + raise Http404() # Create the formset if is_generic_relation[item]: From 183740efdf5c1074e2cbb1361fdbca4c6a4d2940 Mon Sep 17 00:00:00 2001 From: Benjamin Moody Date: Mon, 6 May 2024 11:18:10 -0400 Subject: [PATCH 4/7] project_files_panel: return 404 for missing query parameter. --- physionet-django/project/views.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/physionet-django/project/views.py b/physionet-django/project/views.py index 506bac4e3..658f5bbb3 100644 --- a/physionet-django/project/views.py +++ b/physionet-django/project/views.py @@ -982,7 +982,10 @@ def project_files_panel(request, project_slug, **kwargs): """ project, is_submitting = (kwargs[k] for k in ('project', 'is_submitting')) is_editor = request.user == project.editor - subdir = request.GET['subdir'] + try: + subdir = request.GET['subdir'] + except KeyError: + raise Http404() if is_submitting and project.author_editable(): files_editable = True From 5001b8fb222fd28f607b6921966dfe393ce14082 Mon Sep 17 00:00:00 2001 From: Benjamin Moody Date: Mon, 6 May 2024 11:18:28 -0400 Subject: [PATCH 5/7] preview_files_panel: return 404 for missing query parameter. --- physionet-django/project/views.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/physionet-django/project/views.py b/physionet-django/project/views.py index 658f5bbb3..d7d5b806f 100644 --- a/physionet-django/project/views.py +++ b/physionet-django/project/views.py @@ -1213,7 +1213,10 @@ def preview_files_panel(request, project_slug, **kwargs): manipulate them. Called via ajax to navigate directories. """ project = kwargs['project'] - subdir = request.GET['subdir'] + try: + subdir = request.GET['subdir'] + except KeyError: + raise Http404() (display_files, display_dirs, dir_breadcrumbs, parent_dir, file_error) = get_project_file_info(project=project, subdir=subdir) From fb9f581a84400e82d828327695b02408aee0fd53 Mon Sep 17 00:00:00 2001 From: Benjamin Moody Date: Mon, 6 May 2024 11:18:43 -0400 Subject: [PATCH 6/7] edit_ethics: return 404 for missing query parameter. --- physionet-django/project/views.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/physionet-django/project/views.py b/physionet-django/project/views.py index d7d5b806f..9a83ab4b0 100644 --- a/physionet-django/project/views.py +++ b/physionet-django/project/views.py @@ -1518,6 +1518,8 @@ def edit_ethics(request, project_slug, **kwargs): elif request.method == 'POST' and 'remove_id' in request.POST: extra_forms = 0 UploadedDocument.objects.get(id=int(request.POST['remove_id'])).delete() + else: + raise Http404() UploadedSupportingDocumentFormSet = generic_inlineformset_factory( UploadedDocument, From 61cdd59794cc66e58aeef7e6faac7ab21a86ad31 Mon Sep 17 00:00:00 2001 From: Benjamin Moody Date: Mon, 6 May 2024 11:29:39 -0400 Subject: [PATCH 7/7] project/urls.py: add parameters for TestURLs. Several views in this app have mandatory query parameters - these views are accessed only by JavaScript, and return an HTML fragment rather than a complete page. A couple of views are not yet tested because the demo database does not contain any UploadedDocument objects or any DataAccess objects. This should be fixed. --- physionet-django/project/urls.py | 57 +++++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 5 deletions(-) diff --git a/physionet-django/project/urls.py b/physionet-django/project/urls.py index c51b814aa..0b89ee24d 100644 --- a/physionet-django/project/urls.py +++ b/physionet-django/project/urls.py @@ -95,10 +95,57 @@ ), ] +# Parameters for testing URLs (see physionet/test_urls.py) +TEST_DEFAULTS = { + '_user_': 'rgmark', + 'project_slug': 'T108xFtYkRAxiRiuOLEJ', + 'subdir': 'notes', + 'file_name': 'notes/notes.txt', + 'full_file_name': 'notes/notes.txt', +} TEST_CASES = { - 'project_files': { - '_user_': 'rgmark', - 'project_slug': 'T108xFtYkRAxiRiuOLEJ', - 'subdir': 'notes', - } + 'new_project_version': { + 'project_slug': 'demoeicu', + }, + 'archived_submission_history': { + '_user_': 'admin', + 'project_slug': 't2ASGLbIBoWaTJvPrM2A', + }, + 'published_submission_history': { + 'project_slug': 'demoeicu', + 'version': '2.0.0', + }, + 'edit_affiliation': { + '_query_': {'add_first': 1}, + }, + 'edit_content_item': [ + {'_query_': {'add_first': 1, 'item': 'reference'}}, + {'_query_': {'add_first': 1, 'item': 'publication'}}, + {'_query_': {'add_first': 1, 'item': 'topic'}}, + ], + 'edit_ethics': { + '_query_': {'add_first': 1}, + }, + 'project_files_panel': { + '_query_': {'subdir': 'notes'}, + }, + 'preview_files_panel': { + '_query_': {'subdir': 'notes'}, + }, + 'serve_document': { + # missing UploadedDocument in demo + '_skip_': True, + 'file_name': 'Ethics_Approval_57e9ba85-eb58-4da5-a86f-2b653ba17cf4.pdf', + }, + 'published_project_request_access': { + # missing DataAccess in demo + '_skip_': True, + 'project_slug': 'demoeicu', + 'version': '2.0.0', + 'access_type': '3', + }, + + # these views accept only POST + 'generate_signed_url': {'_skip_': True}, + 'move_author': {'_skip_': True}, }