From b0c6bb9c05b4c9ca9cddf74ed1ab15c3097836b4 Mon Sep 17 00:00:00 2001
From: Patrick Jentsch <p.jentsch@uni-bielefeld.de>
Date: Tue, 12 Nov 2019 12:04:07 +0100
Subject: [PATCH] Add checks if the user is allowed to start an analysis.

---
 app/corpora/events.py | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/app/corpora/events.py b/app/corpora/events.py
index 932d24db..64120e31 100644
--- a/app/corpora/events.py
+++ b/app/corpora/events.py
@@ -2,19 +2,19 @@ from app import db, socketio
 from app.events import connected_sessions
 from app.models import Corpus
 from flask import current_app, request
-from flask_login import login_required
+from flask_login import current_user, login_required
 from .CQiWrapper.CQiWrapper import CQiWrapper
 import logging
 
 
 '''
-' A dictionary containing lists of with corpus ids associated Socket.IO session
-' ids (sid). {<corpus_id>: [<sid>, ...], ...}
+' A dictionary containing lists of, with corpus ids associated, Socket.IO
+' session ids (sid). {<corpus_id>: [<sid>, ...], ...}
 '''
 analysis_sessions = {}
 '''
 ' A dictionary containing Socket.IO session id - CQi client pairs.
-' {<sid>: CQi client, ...}
+' {<sid>: CQiClient, ...}
 '''
 analysis_clients = {}
 
@@ -22,7 +22,13 @@ analysis_clients = {}
 @socketio.on('init_corpus_analysis')
 @login_required
 def init_corpus_analysis(corpus_id):
-    ''' TODO: Check if current_user is allowed to subscribe to this '''
+    corpus = Corpus.query.filter_by(id=corpus_id).first()
+    if corpus is None:
+        socketio.emit('init_corpus_analysis', '[ERROR 404]: Not Found',
+                      room=request.sid)
+    if not (corpus.creator == current_user or current_user.is_administrator()):
+        socketio.emit('init_corpus_analysis', '[ERROR 403]: Forbidden',
+                      room=request.sid)
     if str(corpus_id) not in analysis_sessions:
         analysis_sessions[str(corpus_id)] = [request.sid]
     socketio.start_background_task(observe_corpus_analysis_connection,
@@ -31,6 +37,7 @@ def init_corpus_analysis(corpus_id):
 
 
 @socketio.on('query_event')
+@login_required
 def recv_query(message):
     logger = logging.getLogger(__name__)
     logger.warning(message)
@@ -72,4 +79,4 @@ def observe_corpus_analysis_connection(app, corpus_id, session_id):
         if not analysis_sessions[str(corpus_id)]:
             analysis_sessions.pop(str(corpus_id), None)
             corpus.status = 'stop analysis'
-        db.session.commit()
+            db.session.commit()
-- 
GitLab