Merge 3553276 into 43b98a3

askomics · May 4, 2021 · 6918e86 · 6918e86
2 parents 43b98a3 + 3553276
commit 6918e86
Show file tree

Hide file tree

Showing 19 changed files with 439 additions and 84 deletions.
diff --git a/askomics/api/admin.py b/askomics/api/admin.py
@@ -2,7 +2,7 @@
 import sys
 import traceback
 
-from askomics.api.auth import admin_required
+from askomics.api.auth import api_auth, admin_required
 from askomics.libaskomics.DatasetsHandler import DatasetsHandler
 from askomics.libaskomics.FilesHandler import FilesHandler
 from askomics.libaskomics.LocalAuth import LocalAuth
@@ -16,6 +16,7 @@
 
 
 @admin_bp.route('/api/admin/getusers', methods=['GET'])
+@api_auth
 @admin_required
 def get_users():
     """Get all users
@@ -46,6 +47,7 @@ def get_users():
 
 
 @admin_bp.route('/api/admin/getdatasets', methods=['GET'])
+@api_auth
 @admin_required
 def get_datasets():
     """Get all datasets
@@ -76,6 +78,7 @@ def get_datasets():
 
 
 @admin_bp.route('/api/admin/getfiles', methods=['GET'])
+@api_auth
 @admin_required
 def get_files():
     """Get all files info
@@ -107,6 +110,7 @@ def get_files():
 
 
 @admin_bp.route('/api/admin/getqueries', methods=['GET'])
+@api_auth
 @admin_required
 def get_queries():
     """Get all public queries
@@ -138,6 +142,7 @@ def get_queries():
 
 
 @admin_bp.route('/api/admin/setadmin', methods=['POST'])
+@api_auth
 @admin_required
 def set_admin():
     """change admin status of a user
@@ -167,6 +172,7 @@ def set_admin():
 
 
 @admin_bp.route('/api/admin/setquota', methods=["POST"])
+@api_auth
 @admin_required
 def set_quota():
     """Change quota of a user
@@ -200,6 +206,7 @@ def set_quota():
 
 
 @admin_bp.route('/api/admin/setblocked', methods=['POST'])
+@api_auth
 @admin_required
 def set_blocked():
     """Change blocked status of a user
@@ -229,6 +236,7 @@ def set_blocked():
 
 
 @admin_bp.route('/api/admin/publicize_dataset', methods=['POST'])
+@api_auth
 @admin_required
 def toogle_public_dataset():
     """Toggle public status of a dataset
@@ -269,6 +277,7 @@ def toogle_public_dataset():
 
 
 @admin_bp.route('/api/admin/publicize_query', methods=['POST'])
+@api_auth
 @admin_required
 def togle_public_query():
     """Publish a query template from a result
@@ -305,6 +314,7 @@ def togle_public_query():
 
 
 @admin_bp.route("/api/admin/adduser", methods=["POST"])
+@api_auth
 @admin_required
 def add_user():
     """Change blocked status of a user
@@ -360,6 +370,7 @@ def add_user():
 
 
 @admin_bp.route("/api/admin/delete_users", methods=["POST"])
+@api_auth
 @admin_required
 def delete_users():
     """Delete users data
@@ -411,6 +422,7 @@ def delete_users():
 
 
 @admin_bp.route("/api/admin/delete_files", methods=["POST"])
+@api_auth
 @admin_required
 def delete_files():
     """Delete files
@@ -443,6 +455,7 @@ def delete_files():
 
 
 @admin_bp.route("/api/admin/delete_datasets", methods=["POST"])
+@api_auth
 @admin_required
 def delete_datasets():
     """Delete some datasets (db and triplestore) with a celery task

diff --git a/askomics/api/auth.py b/askomics/api/auth.py
@@ -26,6 +26,22 @@ def decorated_function(*args, **kwargs):
     return decorated_function
 
 
+def api_auth(f):
+    """Get info from token"""
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        """Login required decorator"""
+        if request.headers.get("X-API-KEY"):
+            key = request.headers.get("X-API-KEY")
+            local_auth = LocalAuth(current_app, session)
+            authentication = local_auth.authenticate_user_with_apikey(key)
+            if not authentication["error"]:
+                session["user"] = authentication["user"]
+        return f(*args, **kwargs)
+
+    return decorated_function
+
+
 def admin_required(f):
     """Login required function"""
     @wraps(f)
@@ -69,11 +85,17 @@ def signup():
             'error': True,
             'errorMessage': "Account creation is disabled",
             'user': {}
-        }), 500
+        }), 400
 
     user = {}
 
     data = request.get_json()
+    if not data:
+        return jsonify({
+            'error': True,
+            'errorMessage': "Missing parameters",
+            'user': {}
+        }), 400
 
     local_auth = LocalAuth(current_app, session)
     local_auth.check_inputs(data)
@@ -100,6 +122,12 @@ def login():
         Information about the logged user
     """
     data = request.get_json()
+    if not (data and data.get("login") and data.get("password")):
+        return jsonify({
+            'error': True,
+            'errorMessage': "Missing login or password",
+            'user': None
+        }), 400
 
     local_auth = LocalAuth(current_app, session)
     authentication = local_auth.authenticate_user(data["login"], data["password"])
@@ -171,6 +199,11 @@ def update_profile():
         The updated user
     """
     data = request.get_json()
+    if not (data and any([key in data for key in ["newFname", "newLname", "newEmail"]])):
+        return jsonify({
+            "error": True,
+            "errorMessage": "Missing parameters"
+        }), 400
 
     local_auth = LocalAuth(current_app, session)
     updated_user = local_auth.update_profile(data, session['user'])
@@ -195,6 +228,11 @@ def update_password():
         The user
     """
     data = request.get_json()
+    if not (data and all([key in data for key in ["oldPassword", "newPassword", "confPassword"]])):
+        return jsonify({
+            "error": True,
+            "errorMessage": "Missing parameters"
+        }), 400
 
     local_auth = LocalAuth(current_app, session)
     updated_user = local_auth.update_password(data, session['user'])
@@ -238,6 +276,12 @@ def update_galaxy():
         The user with his new apikey
     """
     data = request.get_json()
+    if not (data and data.get("gurl") and data.get("gkey")):
+        return jsonify({
+            'error': True,
+            'errorMessage': "Missing parameters",
+            'user': session["user"]
+        }), 400
 
     local_auth = LocalAuth(current_app, session)
     if session["user"]["galaxy"]:
@@ -274,6 +318,11 @@ def logout():
 def reset_password():
     """Reset password route"""
     data = request.get_json()
+    if not data:
+        return jsonify({
+            "error": True,
+            "errorMessage": "Missing parameters"
+        }), 400
 
     # Send a reset link
     if "login" in data:
@@ -318,7 +367,7 @@ def reset_password():
         })
 
     # Update password
-    else:
+    elif all([key in data for key in ["token", "password", "passwordConf"]]):
         try:
             local_auth = LocalAuth(current_app, session)
             result = local_auth.reset_password_with_token(data["token"], data["password"], data["passwordConf"])
@@ -333,6 +382,11 @@ def reset_password():
             "error": result["error"],
             "errorMessage": result["message"]
         })
+    else:
+        return jsonify({
+            "error": True,
+            "errorMessage": "Missing parameters"
+        }), 400
 
 
 @auth_bp.route("/api/auth/delete_account", methods=["GET"])

diff --git a/askomics/api/data.py b/askomics/api/data.py
@@ -3,6 +3,7 @@
 import sys
 import traceback
 
+from askomics.api.auth import api_auth
 from askomics.libaskomics.SparqlQuery import SparqlQuery
 from askomics.libaskomics.SparqlQueryLauncher import SparqlQueryLauncher
 
@@ -13,6 +14,7 @@
 
 
 @data_bp.route('/api/data/<string:uri>', methods=['GET'])
+@api_auth
 def get_data(uri):
     """Get information about uri
 

diff --git a/askomics/api/datasets.py b/askomics/api/datasets.py
@@ -2,7 +2,7 @@
 import sys
 import traceback
 
-from askomics.api.auth import login_required, admin_required
+from askomics.api.auth import login_required, admin_required, api_auth
 from askomics.libaskomics.DatasetsHandler import DatasetsHandler
 
 from flask import (Blueprint, current_app, jsonify, request, session)
@@ -12,6 +12,7 @@
 
 
 @datasets_bp.route('/api/datasets', methods=['GET'])
+@api_auth
 @login_required
 def get_datasets():
     """Get datasets information
@@ -42,6 +43,7 @@ def get_datasets():
 
 
 @datasets_bp.route('/api/datasets/delete', methods=['POST'])
+@api_auth
 @login_required
 def delete_datasets():
     """Delete some datasets (db and triplestore) with a celery task
@@ -53,6 +55,13 @@ def delete_datasets():
         errorMessage: the error message of error, else an empty string
     """
     data = request.get_json()
+    if not (data and data.get("datasetsIdToDelete")):
+        return jsonify({
+            'datasets': [],
+            'error': True,
+            'errorMessage': "Missing datasetsIdToDelete parameter"
+        }), 400
+
     datasets_info = []
     for dataset_id in data['datasetsIdToDelete']:
         datasets_info.append({'id': dataset_id})
@@ -99,6 +108,7 @@ def delete_datasets():
 
 
 @datasets_bp.route('/api/datasets/public', methods=['POST'])
+@api_auth
 @admin_required
 def toogle_public():
     """Toggle public status of a dataset
@@ -110,6 +120,13 @@ def toogle_public():
         errorMessage: the error message of error, else an empty string
     """
     data = request.get_json()
+    if not (data and data.get("id")):
+        return jsonify({
+            'datasets': [],
+            'error': True,
+            'errorMessage': "Missing id parameter"
+        }), 400
+
     datasets_info = [{'id': data["id"]}]
 
     try:
@@ -118,8 +135,8 @@ def toogle_public():
         datasets_handler.handle_datasets()
 
         for dataset in datasets_handler.datasets:
-            current_app.logger.debug(data["newStatus"])
-            dataset.toggle_public(data["newStatus"])
+            current_app.logger.debug(data.get("newStatus", False))
+            dataset.toggle_public(data.get("newStatus", False))
 
         datasets = datasets_handler.get_datasets()