Skip to content

Auth-wrap POST /rest/v1/cre_csv_import (deprecate anonymous MyOpenCRE import) #966

Description

@northdpole

Context

RFC #876 adds authenticated MyOpenCRE upload at POST /rest/v2/myopencre/upload. Today, POST /rest/v1/cre_csv_import is public (no auth) and writes directly into the shared graph via myopencre_parser — intended for local/self-hosted use.

Maintainer decision: cre_csv_import must be auth-wrapped for online deployment. Anonymous CSV import into the shared CRE graph is not acceptable on opencre.org.

Requirements

  • Add @login_required (or equivalent post-RFC TODO 1 session check) to POST /rest/v1/cre_csv_import
  • Return 401/302 for anonymous requests (consistent with auth route migration — see auth /rest/v1/auth/* issue)
  • Document that v1 import remains for authenticated admin/contributor use; per-user mapping flow is /rest/v2/myopencre/upload (RFC TODO 4)
  • Frontend MyOpenCRE page: if using v1 import path today, switch to v2 upload when available or require login for v1
  • Consider gating behind CRE_ALLOW_IMPORT and/or capabilities.myopencre in addition to login
  • Update tests in web_main_test.py / MyOpenCRE frontend tests

Migration notes

  • Local dev with NO_LOGIN=1 should continue to work for contributor workflows
  • GET /rest/v1/cre_csv template download may stay public (read-only) — confirm during implementation

Related

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions