More "@login_required" in view.py?

[mccalluc]

It seems like many of our views could expose information. Besides simply being able to login, are there other things un-logged-in users need to be able to access? Or is security handled at the API level?

[ngehlenborg]

At this point much of our security is handled at the API level. Many views do not require the user to be logged in because there are public data sets that should be viewable by anyone.

[mccalluc]

That's reasonable. @hackdna, I think you had reservations, but ok to close? For reference:

$ grep -A1 '@login_required' refinery/*/views.py | grep def
refinery/analysis_manager/views.py-def analysis_cancel(request):
refinery/core/views.py-def collaboration(request):
refinery/core/views.py-def group_invite(request, token):
refinery/core/views.py-def user(request, query):
refinery/core/views.py-def user_profile(request):
refinery/core/views.py-def user_edit(request, uuid):
refinery/core/views.py-def user_profile_edit(request):
refinery/core/views.py-def group(request, query):
refinery/core/views.py-def project_new(request):
refinery/core/views.py-def project_edit(request, uuid):
refinery/core/views.py-def workflow_edit(request, uuid):
refinery/core/views.py-def analysis(request, analysis_uuid):
refinery/workflow_manager/views.py-def import_workflows(request):

[hackdna]

I think we should have an audit of all the views. It is very likely that for some of them unauthenticated access doesn't make sense and it might even open security holes.

[ngehlenborg]

I meant to add that if there are any specific views that you believe should have a @login_required decorator, we should discuss them.

[jkmarx]

Audit all Django Views for Login

[mccalluc]

(no longer a question, just tech debt.)

[gmnelson]

Not sure if this relates specifically to view.py, but the User Files browser is currently exposing facets from all uploaded data sets (i.e. private data sets included), irrespective of data access privileges. In fact, I can see all the facets (e.g. all experimenter names) while logged out.

Although I can't see the files to which I don't have access, I shouldn't be able to see the related facets either.

[hackdna]

Ideally, all views should be private by default. Public views would be enabled explicitly (a whitelist).

[jkmarx]

Checked rendered views, so we are set here. Some views are utilizing the login_require in the URL, which is why they didn't show up in the search (import view for ex)