From 3a2295487c1ae94b2fc3fb0ddf7f1754b834e107 Mon Sep 17 00:00:00 2001
From: Patrick Jentsch <p.jentsch@uni-bielefeld.de>
Date: Tue, 11 Apr 2023 11:46:33 +0200
Subject: [PATCH] Fix some privacy issues
---
app/contributions/__init__.py | 13 +++++++++++++
app/contributions/routes.py | 2 --
.../spacy_nlp_pipeline_models/json_routes.py | 4 +---
.../spacy_nlp_pipeline_models/routes.py | 7 +++----
.../tesseract_ocr_pipeline_models/json_routes.py | 4 +---
.../tesseract_ocr_pipeline_models/routes.py | 9 ++++-----
.../transkribus_htr_pipeline_models/routes.py | 2 --
app/corpora/__init__.py | 13 +++++++++++++
app/corpora/files/json_routes.py | 2 --
app/corpora/files/routes.py | 5 -----
app/corpora/followers/json_routes.py | 5 +----
app/corpora/json_routes.py | 6 +-----
app/corpora/routes.py | 9 +--------
app/jobs/__init__.py | 13 +++++++++++++
app/jobs/json_routes.py | 5 +----
app/jobs/routes.py | 14 +++-----------
app/main/routes.py | 1 +
app/models.py | 2 +-
app/services/__init__.py | 12 ++++++++++++
app/services/routes.py | 8 +-------
app/settings/__init__.py | 12 ++++++++++++
app/templates/admin/user.html.j2 | 4 +++-
app/users/__init__.py | 12 ++++++++++++
app/users/json_routes.py | 3 +--
app/users/routes.py | 7 ++-----
app/users/settings/json_routes.py | 4 +---
app/users/settings/routes.py | 3 +--
27 files changed, 102 insertions(+), 79 deletions(-)
diff --git a/app/contributions/__init__.py b/app/contributions/__init__.py
index 478631f9..5a7ddf1b 100644
--- a/app/contributions/__init__.py
+++ b/app/contributions/__init__.py
@@ -1,7 +1,20 @@
from flask import Blueprint
+from flask_login import login_required
bp = Blueprint('contributions', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+ '''
+ Ensures that the routes in this package can only be visited by users that
+ are logged in.
+ '''
+ pass
+
+
from . import routes
from . import spacy_nlp_pipeline_models
from . import tesseract_ocr_pipeline_models
diff --git a/app/contributions/routes.py b/app/contributions/routes.py
index 4bdc5cc7..82fc63ba 100644
--- a/app/contributions/routes.py
+++ b/app/contributions/routes.py
@@ -1,11 +1,9 @@
from flask import redirect, url_for
from flask_breadcrumbs import register_breadcrumb
-from flask_login import login_required
from . import bp
@bp.route('')
@register_breadcrumb(bp, '.', '<i class="material-icons left">new_label</i>My Contributions')
-@login_required
def contributions():
return redirect(url_for('main.dashboard', _anchor='contributions'))
diff --git a/app/contributions/spacy_nlp_pipeline_models/json_routes.py b/app/contributions/spacy_nlp_pipeline_models/json_routes.py
index 9d05b165..073eaa5e 100644
--- a/app/contributions/spacy_nlp_pipeline_models/json_routes.py
+++ b/app/contributions/spacy_nlp_pipeline_models/json_routes.py
@@ -1,5 +1,5 @@
from flask import abort, current_app, request
-from flask_login import login_required, current_user
+from flask_login import current_user
from threading import Thread
from app import db
from app.decorators import content_negotiation, permission_required
@@ -8,7 +8,6 @@ from .. import bp
@bp.route('/spacy-nlp-pipeline-models/<hashid:spacy_nlp_pipeline_model_id>', methods=['DELETE'])
-@login_required
@content_negotiation(produces='application/json')
def delete_spacy_model(spacy_nlp_pipeline_model_id):
def _delete_spacy_model(app, spacy_nlp_pipeline_model_id):
@@ -33,7 +32,6 @@ def delete_spacy_model(spacy_nlp_pipeline_model_id):
@bp.route('/spacy-nlp-pipeline-models/<hashid:spacy_nlp_pipeline_model_id>/is_public', methods=['PUT'])
-@login_required
@permission_required('CONTRIBUTE')
@content_negotiation(consumes='application/json', produces='application/json')
def update_spacy_nlp_pipeline_model_is_public(spacy_nlp_pipeline_model_id):
diff --git a/app/contributions/spacy_nlp_pipeline_models/routes.py b/app/contributions/spacy_nlp_pipeline_models/routes.py
index f53d55f1..a3afbe55 100644
--- a/app/contributions/spacy_nlp_pipeline_models/routes.py
+++ b/app/contributions/spacy_nlp_pipeline_models/routes.py
@@ -1,6 +1,6 @@
from flask import abort, flash, redirect, render_template, url_for
from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
from app import db
from app.models import SpaCyNLPPipelineModel
from . import bp
@@ -15,7 +15,6 @@ from .utils import (
@bp.route('/spacy-nlp-pipeline-models')
@register_breadcrumb(bp, '.spacy_nlp_pipeline_models', 'SpaCy NLP Pipeline Models')
-@login_required
def spacy_nlp_pipeline_models():
return render_template(
'contributions/spacy_nlp_pipeline_models/spacy_nlp_pipeline_models.html.j2',
@@ -25,7 +24,6 @@ def spacy_nlp_pipeline_models():
@bp.route('/spacy-nlp-pipeline-models/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.spacy_nlp_pipeline_models.create', 'Create')
-@login_required
def create_spacy_nlp_pipeline_model():
form = CreateSpaCyNLPPipelineModelForm()
if form.is_submitted():
@@ -60,9 +58,10 @@ def create_spacy_nlp_pipeline_model():
@bp.route('/spacy-nlp-pipeline-models/<hashid:spacy_nlp_pipeline_model_id>', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.spacy_nlp_pipeline_models.entity', '', dynamic_list_constructor=spacy_nlp_pipeline_model_dlc)
-@login_required
def spacy_nlp_pipeline_model(spacy_nlp_pipeline_model_id):
snpm = SpaCyNLPPipelineModel.query.get_or_404(spacy_nlp_pipeline_model_id)
+ if not (snpm.user == current_user or current_user.is_administrator()):
+ abort(403)
form = UpdateSpaCyNLPPipelineModelForm(data=snpm.to_json_serializeable())
if form.validate_on_submit():
form.populate_obj(snpm)
diff --git a/app/contributions/tesseract_ocr_pipeline_models/json_routes.py b/app/contributions/tesseract_ocr_pipeline_models/json_routes.py
index 29a9f373..22f09e1b 100644
--- a/app/contributions/tesseract_ocr_pipeline_models/json_routes.py
+++ b/app/contributions/tesseract_ocr_pipeline_models/json_routes.py
@@ -1,5 +1,5 @@
from flask import abort, current_app, request
-from flask_login import login_required, current_user
+from flask_login import current_user
from threading import Thread
from app import db
from app.decorators import content_negotiation, permission_required
@@ -8,7 +8,6 @@ from . import bp
@bp.route('/tesseract-ocr-pipeline-models/<hashid:tesseract_ocr_pipeline_model_id>', methods=['DELETE'])
-@login_required
@content_negotiation(produces='application/json')
def delete_tesseract_model(tesseract_ocr_pipeline_model_id):
def _delete_tesseract_ocr_pipeline_model(app, tesseract_ocr_pipeline_model_id):
@@ -33,7 +32,6 @@ def delete_tesseract_model(tesseract_ocr_pipeline_model_id):
@bp.route('/tesseract-ocr-pipeline-models/<hashid:tesseract_ocr_pipeline_model_id>/is_public', methods=['PUT'])
-@login_required
@permission_required('CONTRIBUTE')
@content_negotiation(consumes='application/json', produces='application/json')
def update_tesseract_ocr_pipeline_model_is_public(tesseract_ocr_pipeline_model_id):
diff --git a/app/contributions/tesseract_ocr_pipeline_models/routes.py b/app/contributions/tesseract_ocr_pipeline_models/routes.py
index e0261e80..c35b0419 100644
--- a/app/contributions/tesseract_ocr_pipeline_models/routes.py
+++ b/app/contributions/tesseract_ocr_pipeline_models/routes.py
@@ -1,6 +1,6 @@
-from flask import abort, flash, redirect, render_template, request, url_for
+from flask import abort, flash, redirect, render_template, url_for
from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
from app import db
from app.models import TesseractOCRPipelineModel
from . import bp
@@ -15,7 +15,6 @@ from .utils import (
@bp.route('/tesseract-ocr-pipeline-models')
@register_breadcrumb(bp, '.tesseract_ocr_pipeline_models', 'Tesseract OCR Pipeline Models')
-@login_required
def tesseract_ocr_pipeline_models():
return render_template(
'contributions/tesseract_ocr_pipeline_models/tesseract_ocr_pipeline_models.html.j2',
@@ -25,7 +24,6 @@ def tesseract_ocr_pipeline_models():
@bp.route('/tesseract-ocr-pipeline-models/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.tesseract_ocr_pipeline_models.create', 'Create')
-@login_required
def create_tesseract_ocr_pipeline_model():
form = CreateTesseractOCRPipelineModelForm()
if form.is_submitted():
@@ -59,9 +57,10 @@ def create_tesseract_ocr_pipeline_model():
@bp.route('/tesseract-ocr-pipeline-models/<hashid:tesseract_ocr_pipeline_model_id>', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.tesseract_ocr_pipeline_models.entity', '', dynamic_list_constructor=tesseract_ocr_pipeline_model_dlc)
-@login_required
def tesseract_ocr_pipeline_model(tesseract_ocr_pipeline_model_id):
topm = TesseractOCRPipelineModel.query.get_or_404(tesseract_ocr_pipeline_model_id)
+ if not (topm.user == current_user or current_user.is_administrator()):
+ abort(403)
form = UpdateTesseractOCRPipelineModelForm(data=topm.to_json_serializeable())
if form.validate_on_submit():
form.populate_obj(topm)
diff --git a/app/contributions/transkribus_htr_pipeline_models/routes.py b/app/contributions/transkribus_htr_pipeline_models/routes.py
index 317ff9b9..dc698c0f 100644
--- a/app/contributions/transkribus_htr_pipeline_models/routes.py
+++ b/app/contributions/transkribus_htr_pipeline_models/routes.py
@@ -1,9 +1,7 @@
from flask import abort
-from flask_login import login_required
from . import bp
@bp.route('/transkribus_htr_pipeline_models')
-@login_required
def transkribus_htr_pipeline_models():
return abort(503)
diff --git a/app/corpora/__init__.py b/app/corpora/__init__.py
index af734b0c..3766f2a6 100644
--- a/app/corpora/__init__.py
+++ b/app/corpora/__init__.py
@@ -1,7 +1,20 @@
from flask import Blueprint
+from flask_login import login_required
bp = Blueprint('corpora', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+ '''
+ Ensures that the routes in this package can only be visited by users that
+ are logged in.
+ '''
+ pass
+
+
from . import cqi_over_socketio, routes, json_routes
from . import files
from . import followers
diff --git a/app/corpora/files/json_routes.py b/app/corpora/files/json_routes.py
index 2e40775d..faa5f233 100644
--- a/app/corpora/files/json_routes.py
+++ b/app/corpora/files/json_routes.py
@@ -1,5 +1,4 @@
from flask import current_app, jsonify
-from flask_login import login_required
from threading import Thread
from app import db
from app.decorators import content_negotiation
@@ -9,7 +8,6 @@ from . import bp
@bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>', methods=['DELETE'])
-@login_required
@corpus_follower_permission_required('REMOVE_CORPUS_FILE')
@content_negotiation(produces='application/json')
def delete_corpus_file(corpus_id, corpus_file_id):
diff --git a/app/corpora/files/routes.py b/app/corpora/files/routes.py
index 7dca50a2..108acf1a 100644
--- a/app/corpora/files/routes.py
+++ b/app/corpora/files/routes.py
@@ -7,7 +7,6 @@ from flask import (
url_for
)
from flask_breadcrumbs import register_breadcrumb
-from flask_login import login_required
import os
from app import db
from app.models import Corpus, CorpusFile, CorpusStatus
@@ -22,14 +21,12 @@ from .utils import (
@bp.route('/<hashid:corpus_id>/files')
@register_breadcrumb(bp, '.entity.files', 'Files', endpoint_arguments_constructor=corpus_eac)
-@login_required
def corpus_files(corpus_id):
return redirect(url_for('.corpus', _anchor='files', corpus_id=corpus_id))
@bp.route('/<hashid:corpus_id>/files/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.entity.files.create', 'Create', endpoint_arguments_constructor=corpus_eac)
-@login_required
@corpus_follower_permission_required('ADD_CORPUS_FILE')
def create_corpus_file(corpus_id):
corpus = Corpus.query.get_or_404(corpus_id)
@@ -72,7 +69,6 @@ def create_corpus_file(corpus_id):
@bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.entity.files.entity', '', dynamic_list_constructor=corpus_file_dlc)
-@login_required
@corpus_follower_permission_required('UPDATE_CORPUS_FILE')
def corpus_file(corpus_id, corpus_file_id):
corpus_file = CorpusFile.query.filter_by(corpus_id=corpus_id, id=corpus_file_id).first_or_404()
@@ -94,7 +90,6 @@ def corpus_file(corpus_id, corpus_file_id):
@bp.route('/<hashid:corpus_id>/files/<hashid:corpus_file_id>/download')
-@login_required
@corpus_follower_permission_required('VIEW')
def download_corpus_file(corpus_id, corpus_file_id):
corpus_file = CorpusFile.query.filter_by(corpus_id=corpus_id, id=corpus_file_id).first_or_404()
diff --git a/app/corpora/followers/json_routes.py b/app/corpora/followers/json_routes.py
index 88fa81d2..7c16a838 100644
--- a/app/corpora/followers/json_routes.py
+++ b/app/corpora/followers/json_routes.py
@@ -1,5 +1,5 @@
from flask import abort, jsonify, request
-from flask_login import current_user, login_required
+from flask_login import current_user
from app import db
from app.decorators import content_negotiation
from app.models import (
@@ -13,7 +13,6 @@ from . import bp
@bp.route('/<hashid:corpus_id>/followers', methods=['POST'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(consumes='application/json', produces='application/json')
def create_corpus_followers(corpus_id):
@@ -35,7 +34,6 @@ def create_corpus_followers(corpus_id):
@bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>/role', methods=['PUT'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(consumes='application/json', produces='application/json')
def update_corpus_follower_role(corpus_id, follower_id):
@@ -58,7 +56,6 @@ def update_corpus_follower_role(corpus_id, follower_id):
@bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>', methods=['DELETE'])
-@login_required
@content_negotiation(produces='application/json')
def delete_corpus_follower(corpus_id, follower_id):
corpus = Corpus.query.get_or_404(corpus_id)
diff --git a/app/corpora/json_routes.py b/app/corpora/json_routes.py
index 0494e1e5..e8142cf5 100644
--- a/app/corpora/json_routes.py
+++ b/app/corpora/json_routes.py
@@ -6,7 +6,7 @@ from flask import (
request,
url_for
)
-from flask_login import current_user, login_required
+from flask_login import current_user
from threading import Thread
from .decorators import corpus_follower_permission_required, corpus_owner_or_admin_required
from app import db, hashids
@@ -16,7 +16,6 @@ from . import bp
@bp.route('/<hashid:corpus_id>', methods=['DELETE'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(produces='application/json')
def delete_corpus(corpus_id):
@@ -42,7 +41,6 @@ def delete_corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/build', methods=['POST'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(produces='application/json')
def build_corpus(corpus_id):
@@ -71,7 +69,6 @@ def build_corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/generate-share-link', methods=['POST'])
-@login_required
@corpus_follower_permission_required('GENERATE_SHARE_LINK')
@content_negotiation(consumes='application/json', produces='application/json')
def generate_corpus_share_link(corpus_id):
@@ -108,7 +105,6 @@ def generate_corpus_share_link(corpus_id):
@bp.route('/<hashid:corpus_id>/is_public', methods=['PUT'])
-@login_required
@corpus_owner_or_admin_required
@content_negotiation(consumes='application/json', produces='application/json')
def update_corpus_is_public(corpus_id):
diff --git a/app/corpora/routes.py b/app/corpora/routes.py
index ae5069fa..ccb70760 100644
--- a/app/corpora/routes.py
+++ b/app/corpora/routes.py
@@ -1,6 +1,6 @@
from flask import abort, flash, redirect, render_template, url_for
from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
from .decorators import corpus_follower_permission_required
from app import db
from app.models import (
@@ -19,14 +19,12 @@ from .utils import (
@bp.route('')
@register_breadcrumb(bp, '.', '<i class="nopaque-icons left">I</i>My Corpora')
-@login_required
def corpora():
return redirect(url_for('main.dashboard', _anchor='corpora'))
@bp.route('/create', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.create', 'Create')
-@login_required
def create_corpus():
form = CreateCorpusForm()
if form.validate_on_submit():
@@ -50,7 +48,6 @@ def create_corpus():
@bp.route('/<hashid:corpus_id>')
@register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=corpus_dlc)
-@login_required
def corpus(corpus_id):
corpus = Corpus.query.get_or_404(corpus_id)
corpus_follower_roles = CorpusFollowerRole.query.all()
@@ -77,7 +74,6 @@ def corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/analyse')
@register_breadcrumb(bp, '.entity.analyse', 'Analyse', endpoint_arguments_constructor=corpus_eac)
-@login_required
@corpus_follower_permission_required('VIEW')
def analyse_corpus(corpus_id):
corpus = Corpus.query.get_or_404(corpus_id)
@@ -89,7 +85,6 @@ def analyse_corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/follow/<token>')
-@login_required
def follow_corpus(corpus_id, token):
corpus = Corpus.query.get_or_404(corpus_id)
if current_user.follow_corpus_by_token(token):
@@ -101,13 +96,11 @@ def follow_corpus(corpus_id, token):
@bp.route('/import', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.import', 'Import')
-@login_required
def import_corpus():
abort(503)
@bp.route('/<hashid:corpus_id>/export')
@register_breadcrumb(bp, '.entity.export', 'Export', endpoint_arguments_constructor=corpus_eac)
-@login_required
def export_corpus(corpus_id):
abort(503)
diff --git a/app/jobs/__init__.py b/app/jobs/__init__.py
index 11b2ad36..1350e7e1 100644
--- a/app/jobs/__init__.py
+++ b/app/jobs/__init__.py
@@ -1,5 +1,18 @@
from flask import Blueprint
+from flask_login import login_required
bp = Blueprint('jobs', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+ '''
+ Ensures that the routes in this package can only be visited by users that
+ are logged in.
+ '''
+ pass
+
+
from . import routes, json_routes
diff --git a/app/jobs/json_routes.py b/app/jobs/json_routes.py
index 3562470f..7bedc726 100644
--- a/app/jobs/json_routes.py
+++ b/app/jobs/json_routes.py
@@ -1,5 +1,5 @@
from flask import abort, current_app
-from flask_login import current_user, login_required
+from flask_login import current_user
from threading import Thread
import os
from app import db
@@ -9,7 +9,6 @@ from . import bp
@bp.route('/<hashid:job_id>', methods=['DELETE'])
-@login_required
@content_negotiation(produces='application/json')
def delete_job(job_id):
def _delete_job(app, job_id):
@@ -33,7 +32,6 @@ def delete_job(job_id):
@bp.route('/<hashid:job_id>/log')
-@login_required
@admin_required
@content_negotiation(produces='application/json')
def job_log(job_id):
@@ -51,7 +49,6 @@ def job_log(job_id):
@bp.route('/<hashid:job_id>/restart', methods=['POST'])
-@login_required
@content_negotiation(produces='application/json')
def restart_job(job_id):
def _restart_job(app, job_id):
diff --git a/app/jobs/routes.py b/app/jobs/routes.py
index 5f0d6273..f0480293 100644
--- a/app/jobs/routes.py
+++ b/app/jobs/routes.py
@@ -6,7 +6,7 @@ from flask import (
url_for
)
from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
import os
from app.models import Job, JobInput, JobResult
from . import bp
@@ -15,14 +15,12 @@ from .utils import job_dynamic_list_constructor as job_dlc
@bp.route('')
@register_breadcrumb(bp, '.', '<i class="nopaque-icons left">J</i>My Jobs')
-@login_required
def corpora():
return redirect(url_for('main.dashboard', _anchor='jobs'))
@bp.route('/<hashid:job_id>')
@register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=job_dlc)
-@login_required
def job(job_id):
job = Job.query.get_or_404(job_id)
if not (job.user == current_user or current_user.is_administrator()):
@@ -35,11 +33,8 @@ def job(job_id):
@bp.route('/<hashid:job_id>/inputs/<hashid:job_input_id>/download')
-@login_required
def download_job_input(job_id, job_input_id):
- job_input = JobInput.query.get_or_404(job_input_id)
- if job_input.job.id != job_id:
- abort(404)
+ job_input = JobInput.query.filter_by(job_id=job_id, id=job_input_id).first_or_404()
if not (job_input.job.user == current_user or current_user.is_administrator()):
abort(403)
return send_from_directory(
@@ -52,11 +47,8 @@ def download_job_input(job_id, job_input_id):
@bp.route('/<hashid:job_id>/results/<hashid:job_result_id>/download')
-@login_required
def download_job_result(job_id, job_result_id):
- job_result = JobResult.query.get_or_404(job_result_id)
- if job_result.job.id != job_id:
- abort(404)
+ job_result = JobResult.query.filter_by(job_id=job_id, id=job_result_id).first_or_404()
if not (job_result.job.user == current_user or current_user.is_administrator()):
abort(403)
return send_from_directory(
diff --git a/app/main/routes.py b/app/main/routes.py
index f5fac68d..cda06da6 100644
--- a/app/main/routes.py
+++ b/app/main/routes.py
@@ -79,6 +79,7 @@ def terms_of_use():
@bp.route('/social-area')
@register_breadcrumb(bp, '.social_area', '<i class="material-icons left">group</i>Social Area')
+@login_required
def social_area():
# corpora = [
# c.to_json_serializeable() for c
diff --git a/app/models.py b/app/models.py
index bcc030e5..57658074 100644
--- a/app/models.py
+++ b/app/models.py
@@ -693,7 +693,7 @@ class User(HashidMixin, UserMixin, db.Model):
db.session.commit()
def can(self, permission):
- return self.role.has_permission(permission)
+ return self.role is not None and self.role.has_permission(permission)
def confirm(self, confirmation_token):
try:
diff --git a/app/services/__init__.py b/app/services/__init__.py
index 73c78b59..ba1eb297 100644
--- a/app/services/__init__.py
+++ b/app/services/__init__.py
@@ -9,4 +9,16 @@ with open(services_file, 'r') as f:
SERVICES = yaml.safe_load(f)
bp = Blueprint('services', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+ '''
+ Ensures that the routes in this package can only be visited by users that
+ are logged in.
+ '''
+ pass
+
+
from . import routes # noqa
diff --git a/app/services/routes.py b/app/services/routes.py
index 7ab36384..0a8c2811 100644
--- a/app/services/routes.py
+++ b/app/services/routes.py
@@ -1,6 +1,6 @@
from flask import abort, current_app, flash, Markup, redirect, render_template, request, url_for
from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
import requests
from app import db, hashids
from app.models import (
@@ -21,14 +21,12 @@ from .forms import (
@bp.route('/services')
@register_breadcrumb(bp, '.', 'Services')
-@login_required
def services():
return redirect(url_for('main.dashboard'))
@bp.route('/file-setup-pipeline', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.file_setup_pipeline', '<i class="nopaque-icons service-icons left" data-service="file-setup-pipeline"></i>File Setup')
-@login_required
def file_setup_pipeline():
service = 'file-setup-pipeline'
service_manifest = SERVICES[service]
@@ -70,7 +68,6 @@ def file_setup_pipeline():
@bp.route('/tesseract-ocr-pipeline', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.tesseract_ocr_pipeline', '<i class="nopaque-icons service-icons left" data-service="tesseract-ocr-pipeline"></i>Tesseract OCR Pipeline')
-@login_required
def tesseract_ocr_pipeline():
service_name = 'tesseract-ocr-pipeline'
service_manifest = SERVICES[service_name]
@@ -120,7 +117,6 @@ def tesseract_ocr_pipeline():
@bp.route('/transkribus-htr-pipeline', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.transkribus_htr_pipeline', '<i class="nopaque-icons service-icons left" data-service="transkribus-htr-pipeline"></i>Transkribus HTR Pipeline')
-@login_required
def transkribus_htr_pipeline():
if not current_app.config.get('NOPAQUE_TRANSKRIBUS_ENABLED'):
abort(404)
@@ -179,7 +175,6 @@ def transkribus_htr_pipeline():
@bp.route('/spacy-nlp-pipeline', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.spacy_nlp_pipeline', '<i class="nopaque-icons service-icons left" data-service="spacy-nlp-pipeline"></i>SpaCy NLP Pipeline')
-@login_required
def spacy_nlp_pipeline():
service = 'spacy-nlp-pipeline'
service_manifest = SERVICES[service]
@@ -225,7 +220,6 @@ def spacy_nlp_pipeline():
@bp.route('/corpus-analysis')
@register_breadcrumb(bp, '.corpus_analysis', '<i class="nopaque-icons service-icons left" data-service="corpus-analysis"></i>Corpus Analysis')
-@login_required
def corpus_analysis():
return render_template(
'services/corpus_analysis.html.j2',
diff --git a/app/settings/__init__.py b/app/settings/__init__.py
index 56265277..0f3d7815 100644
--- a/app/settings/__init__.py
+++ b/app/settings/__init__.py
@@ -2,4 +2,16 @@ from flask import Blueprint
bp = Blueprint('settings', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+ '''
+ Ensures that the routes in this package can only be visited by users that
+ are logged in.
+ '''
+ pass
+
+
from . import routes
diff --git a/app/templates/admin/user.html.j2 b/app/templates/admin/user.html.j2
index 73be0732..82c8723d 100644
--- a/app/templates/admin/user.html.j2
+++ b/app/templates/admin/user.html.j2
@@ -17,7 +17,9 @@
<span class="chip white-text" id="user-confirmed-chip" style="background-color: #f44336;">unconfirmed</span>
{% endif %}
</p>
- <p>{{ user.about_me if user.about_me }}</p>
+ {% if user.about_me %}
+ <p>{{ user.about_me }}</p>
+ {% endif %}
</div>
<div class="col s12 hide-on-med-and-down"> </div>
diff --git a/app/users/__init__.py b/app/users/__init__.py
index a1ed4f2e..46227fca 100644
--- a/app/users/__init__.py
+++ b/app/users/__init__.py
@@ -2,5 +2,17 @@ from flask import Blueprint
bp = Blueprint('users', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+ '''
+ Ensures that the routes in this package can only be visited by users that
+ are logged in.
+ '''
+ pass
+
+
from . import events, json_routes, routes
from . import settings
diff --git a/app/users/json_routes.py b/app/users/json_routes.py
index 571fa78c..b9cbb3e3 100644
--- a/app/users/json_routes.py
+++ b/app/users/json_routes.py
@@ -1,5 +1,5 @@
from flask import abort, current_app
-from flask_login import current_user, login_required, logout_user
+from flask_login import current_user, logout_user
from threading import Thread
from app import db
from app.decorators import content_negotiation
@@ -8,7 +8,6 @@ from . import bp
@bp.route('/<hashid:user_id>', methods=['DELETE'])
-@login_required
@content_negotiation(produces='application/json')
def delete_user(user_id):
def _delete_user(app, user_id):
diff --git a/app/users/routes.py b/app/users/routes.py
index 7b86a8e1..fbb5a609 100644
--- a/app/users/routes.py
+++ b/app/users/routes.py
@@ -6,23 +6,21 @@ from flask import (
url_for
)
from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
import os
-from app.models import Corpus, User
+from app.models import User
from . import bp
from .utils import user_dynamic_list_constructor as user_dlc
@bp.route('')
@register_breadcrumb(bp, '.', '<i class="material-icons left">group</i>Users')
-@login_required
def users():
return redirect(url_for('main.social_area', _anchor='users'))
@bp.route('/<hashid:user_id>')
@register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=user_dlc)
-@login_required
def user(user_id):
user = User.query.get_or_404(user_id)
if not (user.is_public or user == current_user or current_user.is_administrator()):
@@ -35,7 +33,6 @@ def user(user_id):
@bp.route('/<hashid:user_id>/avatar')
-@login_required
def user_avatar(user_id):
user = User.query.get_or_404(user_id)
if not (user.is_public or user == current_user or current_user.is_administrator()):
diff --git a/app/users/settings/json_routes.py b/app/users/settings/json_routes.py
index 1d0c4d9e..03f34a22 100644
--- a/app/users/settings/json_routes.py
+++ b/app/users/settings/json_routes.py
@@ -1,5 +1,5 @@
from flask import abort, request
-from flask_login import current_user, login_required
+from flask_login import current_user
from app import db
from app.decorators import content_negotiation
from app.models import User, ProfilePrivacySettings
@@ -7,7 +7,6 @@ from . import bp
@bp.route('/<hashid:user_id>/settings/profile-privacy/is-public', methods=['PUT'])
-@login_required
@content_negotiation(consumes='application/json', produces='application/json')
def update_user_profile_privacy_setting_is_public(user_id):
user = User.query.get_or_404(user_id)
@@ -26,7 +25,6 @@ def update_user_profile_privacy_setting_is_public(user_id):
@bp.route('/<hashid:user_id>/settings/profile-privacy/<string:profile_privacy_setting_name>', methods=['PUT'])
-@login_required
@content_negotiation(consumes='application/json', produces='application/json')
def update_user_profile_privacy_settings(user_id, profile_privacy_setting_name):
user = User.query.get_or_404(user_id)
diff --git a/app/users/settings/routes.py b/app/users/settings/routes.py
index d921c5c4..68f0a303 100644
--- a/app/users/settings/routes.py
+++ b/app/users/settings/routes.py
@@ -1,6 +1,6 @@
from flask import abort, flash, g, redirect, render_template, url_for
from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
from app import db
from app.models import Avatar, User
from ..utils import user_endpoint_arguments_constructor as user_eac
@@ -16,7 +16,6 @@ from .forms import (
@bp.route('/<hashid:user_id>/settings', methods=['GET', 'POST'])
@register_breadcrumb(bp, '.entity.settings', '<i class="material-icons left">settings</i>Settings', endpoint_arguments_constructor=user_eac)
-@login_required
def settings(user_id):
user = User.query.get_or_404(user_id)
if not (user == current_user or current_user.is_administrator()):
--
GitLab