Add backend access checks on datafile operations

9986e868 · Jonathan Seguin · 5c76f676 · 9986e868 · 9986e868
Commit 9986e868 authored 5 years ago by Jonathan Seguin
--- a/portal/models.py
+++ b/portal/models.py
@@ -113,6 +113,13 @@ class DataFileManager(models.Manager):
            | Q(datasets__share_groups__profiles=profile)
        )

+    def editable_by_profile(self, profile):
+        return super().get_queryset().filter(
+            Q(uploaded_by=profile)
+            | Q(lab__pi=profile)
+            | Q(lab__data_managers=profile)
+        )
+

 # File Object ########
 class DataFile(models.Model):

--- a/portal/views/secure/datafile.py
+++ b/portal/views/secure/datafile.py
@@ -98,11 +98,11 @@ class DataFilesJSONListView(LoginRequiredMixin, JSONListView):
 def ajax_batch_datafile_annotations_JSON(request):
    if request.POST:
        ids = request.POST['datafiles'].split(',')
-        annotation_keys = [{'id': x, 'text': x} for x in set(flatten([list(a[0].keys()) for a in DataFile.objects.filter(pk__in=ids).values_list('annotations')]))]
+        datafiles = DataFile.objects.filter(pk__in=ids)
+        annotation_keys = [{'id': x, 'text': x} for x in set(flatten([list(a[0].keys()) for a in datafiles.values_list('annotations')]))]

-        # !!!!
-        # TODO check if user has access to these files
-        # !!!!
+        if DataFile.objects.editable_by_profile(request.user.profile).filter(pk__in=ids).count() != datafiles.count():
+            raise Exception("User accessing annotations for files he does not have the ability to edit.")

        return JsonResponse({'results': annotation_keys})

@@ -116,6 +116,11 @@ class DataFileBatchRemoveAnnotation(LoginRequiredMixin, SuccessMessageMixin, Vie
        files = DataFile.objects.filter(pk__in=self.request.POST.get('datafiles').split(','))

        for f in files.all():
+
+            if not DataFile.objects.editable_by_profile(request.user.profile).filter(pk=f.pk).first():
+                messages.error(self.request, _('You do not have the necessary permissions to edit the annotation of "{}"'.format(f)))
+                return HttpResponseRedirect(self.success_url)
+     
            for k in keys:
                try:
                    f.annotations.pop(k, None)
@@ -143,6 +148,11 @@ class DataFileBatchAddAnnotation(LoginRequiredMixin, SuccessMessageMixin, View):
            return HttpResponseRedirect(self.success_url)

        for f in files.all():
+
+            if not DataFile.objects.editable_by_profile(request.user.profile).filter(pk=f.pk).first():
+                messages.error(self.request, _('You do not have the necessary permissions to edit the annotation of "{}"'.format(f)))
+                return HttpResponseRedirect(self.success_url)
+
            for k in json_annot.keys():
                try:
                    f.annotations[k] = json_annot[k]