Merge pull request '541 security improvements' (#542) from 541_Security_improvements into master

Reviewed-on: #542

api/migrations/0004_externalidentifier.py

@@ -0,0 +1,23 @@
+# Generated by Django 6.0.5 on 2026-05-10 07:18
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0003_oauthtoken'),
+        ('user', '0010_user_sso_identifier'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ExternalIdentifier',
+            fields=[
+                ('external_id', models.CharField(db_comment='Identifier from a source system', max_length=255, primary_key=True, serialize=False)),
+                ('internal_id', models.UUIDField(db_comment='Identifier in konova')),
+                ('created', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+', to='user.useractionlogentry')),
+            ],
+        ),
+    ]

api/models/__init__.py

@@ -5,4 +5,5 @@ Contact: michel.peltriaux@sgdnord.rlp.de
 Created on: 21.01.22
 
 """
-from .token import *
+from .token import *
+from .external_identifier import *

api/models/external_identifier.py

@@ -0,0 +1,51 @@
+"""
+Author: Michel Peltriaux
+Created on: 10.05.26
+
+"""
+from django.db import models
+
+
+class ExternalIdentifier(models.Model):
+    """ Holds a lookup to match a given external identifier against the internal identifier in konova.
+
+    Relevant in cases of API transmitted entries, which are updates using external identifiers instead of
+    the internal ones directly.
+
+    """
+    external_id = models.CharField(
+        max_length=255,
+        primary_key=True,
+        db_comment="Identifier from a source system"
+    )
+    internal_id = models.UUIDField(
+        db_comment="Identifier in konova"
+    )
+    created = models.ForeignKey(
+        "user.UserActionLogEntry",
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name='+'
+    )
+
+    def __str__(self):
+        return f"{self.external_id} -> {self.internal_id}"
+
+    @staticmethod
+    def resolve_external_identifier(external_identifier: str):
+        """ Returns a ExternalIdentifier object, if the given parameter could be resolved as an external identifier.
+
+        Args:
+            external_identifier (str): An external identifier.
+
+        Returns:
+            ExternalIdentifier | None
+        """
+        if external_identifier:
+            try:
+                obj = ExternalIdentifier.objects.get(external_id=external_identifier)
+                return obj
+            except ExternalIdentifier.DoesNotExist:
+                pass
+        return None

api/tests/v1/create/compensation_create_post_body.json

@@ -8,6 +8,7 @@
         "is_coherence_keeping": false,
         "is_pik": false,
         "intervention": "MUST_BE_SET_IN_TEST",
+        "external_identifier": "LOREMIPSUM-123",
         "before_states": [
         ],
         "after_states": [

api/tests/v1/create/ecoaccount_create_post_body.json

@@ -4,6 +4,7 @@
     ],
     "properties": {
         "title": "Test_ecoaccount",
+        "external_identifier": "LOREMIPSUM-1234",
         "deductable_surface": 10000.0,
         "is_pik": false,
         "responsible": {

api/tests/v1/create/ema_create_post_body.json

@@ -4,6 +4,7 @@
     ],
     "properties": {
         "title": "Test_ema",
+        "external_identifier": "LOREMIPSUM-1235",
         "is_pik": false,
         "responsible": {
             "conservation_office": null,

api/tests/v1/create/intervention_create_post_body.json

@@ -4,6 +4,7 @@
     ],
     "properties": {
         "title": "Test_intervention",
+        "external_identifier": "LOREMIPSUM-1236",
         "responsible": {
             "registration_office": null,
             "registration_file_number": null,

api/tests/v1/create/test_api_create.py

@@ -9,6 +9,7 @@ import json
 
 from django.urls import reverse
 
+from api.models import ExternalIdentifier
 from api.tests.v1.share.test_api_sharing import BaseAPIV1TestCase
 
 
@@ -42,7 +43,22 @@ class APIV1CreateTestCase(BaseAPIV1TestCase):
         response = self._run_create_request(url, post_body)
         self.assertEqual(response.status_code, 200, msg=response.content)
         content = json.loads(response.content)
-        self.assertIsNotNone(content.get("id", None), msg=response.content)
+        _id = content.get("id", None)
+        self.assertIsNotNone(_id, msg=response.content)
+        return _id
+
+    def _test_external_identifier_created(self, internal_id, external_id):
+        """ Tests whether an external identifier has been created
+
+        Args:
+            internal_id ():
+            external_id ():
+
+        Returns:
+
+        """
+        external_identifier = ExternalIdentifier.objects.get(internal_id=internal_id)
+        self.assertEqual(external_identifier.external_id, external_id)
 
     def test_create_intervention(self):
         """ Tests api creation
@@ -54,7 +70,8 @@ class APIV1CreateTestCase(BaseAPIV1TestCase):
         json_file_path = "api/tests/v1/create/intervention_create_post_body.json"
         with open(json_file_path) as json_file:
             post_body = json.load(fp=json_file)
-        self._test_create_object(url, post_body)
+        internal_id = self._test_create_object(url, post_body)
+        self._test_external_identifier_created(internal_id, post_body["properties"]["external_identifier"])
 
     def test_create_compensation(self):
         """ Tests api creation
@@ -77,7 +94,8 @@ class APIV1CreateTestCase(BaseAPIV1TestCase):
 
         # Add the user to the shared users of the intervention and try again! Now everything should work as expected.
         self.intervention.users.add(self.superuser)
-        self._test_create_object(url, post_body)
+        internal_id = self._test_create_object(url, post_body)
+        self._test_external_identifier_created(internal_id, post_body["properties"]["external_identifier"])
 
     def test_create_eco_account(self):
         """ Tests api creation
@@ -89,7 +107,8 @@ class APIV1CreateTestCase(BaseAPIV1TestCase):
         json_file_path = "api/tests/v1/create/ecoaccount_create_post_body.json"
         with open(json_file_path) as json_file:
             post_body = json.load(fp=json_file)
-        self._test_create_object(url, post_body)
+        internal_id = self._test_create_object(url, post_body)
+        self._test_external_identifier_created(internal_id, post_body["properties"]["external_identifier"])
 
     def test_create_ema(self):
         """ Tests api creation
@@ -101,7 +120,8 @@ class APIV1CreateTestCase(BaseAPIV1TestCase):
         json_file_path = "api/tests/v1/create/ema_create_post_body.json"
         with open(json_file_path) as json_file:
             post_body = json.load(fp=json_file)
-        self._test_create_object(url, post_body)
+        internal_id = self._test_create_object(url, post_body)
+        self._test_external_identifier_created(internal_id, post_body["properties"]["external_identifier"])
 
     def test_create_deduction(self):
         """ Tests api creation

api/tests/v1/share/test_api_sharing.py

@@ -31,9 +31,10 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
     def setUpTestData(cls):
         super().setUpTestData()
 
-    def _run_share_request(self, url, user_list: list):
+    def _run_share_request(self, url, user_list: list, team_list: list):
         data = {
-            "users": user_list
+            "users": user_list,
+            "teams": team_list
         }
         data = json.dumps(data)
         response = self.client.put(
@@ -58,16 +59,22 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
             self.superuser.username,
             self.user.username,
         ]
+        team_list = [
+            str(self.team.id),
+        ]
 
-        response = self._run_share_request(url, user_list)
+        response = self._run_share_request(url, user_list, team_list)
 
         # Must fail, since performing user has no access on requested object
         self.assertEqual(response.status_code, 500)
         self.assertTrue(len(json.loads(response.content.decode("utf-8")).get("errors", [])) > 0)
 
-        # Add performing user to shared access users and rerun the request
+        # Add performing user to shared access users, switch from team id to team name and rerun the request
         obj.users.add(self.superuser)
-        response = self._run_share_request(url, user_list)
+        team_list = [
+            self.team.name
+        ]
+        response = self._run_share_request(url, user_list, team_list)
 
         shared_users = obj.shared_users
         self.assertEqual(response.status_code, 200)
@@ -84,14 +91,14 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
         share_url = reverse("api:v1:intervention-share", args=(self.intervention.id,))
         # Expect the first request to work properly
         self.intervention.users.add(self.superuser)
-        response = self._run_share_request(share_url, [self.superuser.username])
+        response = self._run_share_request(share_url, [self.superuser.username], [str(self.team.id)])
         self.assertEqual(response.status_code, 200)
 
         # Change the token
         self.header_data["HTTP_ksptoken"] = f"{self.superuser.api_token.token}__X"
 
         # Expect the request to fail now
-        response = self._run_share_request(share_url, [self.superuser.username])
+        response = self._run_share_request(share_url, [self.superuser.username], [])
         self.assertEqual(response.status_code, 403)
 
     def test_api_intervention_sharing(self):
@@ -144,11 +151,11 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
         self.assertEqual(self.intervention.users.count(), 1)
 
         # Try to add another user via API -> must work!
-        response = self._run_share_request(share_url, [self.superuser.username, self.user.username])
+        response = self._run_share_request(share_url, [self.superuser.username, self.user.username], [])
         self.assertEqual(response.status_code, 200)
         self.assertEqual(self.intervention.users.count(), 2)
 
         # Now try to remove the user again -> expect no changes at all to the shared user list
-        response = self._run_share_request(share_url, [self.superuser.username])
+        response = self._run_share_request(share_url, [self.superuser.username], [])
         self.assertEqual(response.status_code, 200)
         self.assertEqual(self.intervention.users.count(), 2)

api/tests/v1/update/compensation_update_put_body.json

@@ -44,6 +44,7 @@
         ],
     "properties": {
         "title": "TEST_compensation_CHANGED",
+        "external_identifier": "LOREMIPSUM-123_CHANGED",
         "is_cef": true,
         "is_coherence_keeping": true,
         "is_pik": true,

api/tests/v1/update/ecoaccount_update_put_body.json

@@ -44,6 +44,7 @@
         ],
     "properties": {
         "title": "TEST_account_CHANGED",
+        "external_identifier": "LOREMIPSUM-1234_CHANGED",
         "deductable_surface": "100000.0",
         "is_pik": true,
         "responsible": {

api/tests/v1/update/ema_update_put_body.json

@@ -44,6 +44,7 @@
         ],
     "properties": {
         "title": "TEST_EMA_CHANGED",
+        "external_identifier": "LOREMIPSUM-1235_CHANGED",
         "responsible": {
             "conservation_office": null,
             "conservation_file_number": "TEST_CHANGED",

api/tests/v1/update/intervention_update_put_body.json

@@ -44,6 +44,7 @@
         ],
     "properties": {
         "title": "Test_intervention_CHANGED",
+        "external_identifier": "LOREMIPSUM-1236_CHANGED",
         "responsible": {
             "registration_office": null,
             "registration_file_number": "CHANGED",

api/utils/serializer/serializer.py

@@ -10,9 +10,11 @@ from abc import abstractmethod
 
 from django.contrib.gis import geos
 from django.contrib.gis.geos import GEOSGeometry
+from django.core.exceptions import ObjectDoesNotExist
 from django.core.paginator import Paginator
 from django.db.models import Q
 
+from api.models import ExternalIdentifier
 from konova.models import Geometry
 from konova.utils.message_templates import DATA_UNSHARED
 
@@ -76,6 +78,14 @@ class AbstractModelAPISerializer:
             del self.lookup["id"]
         else:
             # Return certain object
+            ## But first check, whether this is an external identifier ...
+            try:
+                ## If we can find this _id on our ExternalIdentifier model, we need to map it on the internal id
+                ext_id = ExternalIdentifier.objects.get(external_id=_id)
+                _id = ext_id.internal_id
+            except ObjectDoesNotExist:
+                # If we did not find it, we assume that this is already an internal id. (Or it does not exist at all)
+                pass
             self.lookup["id"] = _id
 
         self.shared_lookup = Q(
@@ -161,6 +171,14 @@ class AbstractModelAPISerializer:
         Returns:
 
         """
+        # First if there is an external identifier linked to an internal one, so we can continue with the internal
+        try:
+            ext_id = ExternalIdentifier.objects.get(external_id=id)
+            id = ext_id.internal_id
+        except ObjectDoesNotExist:
+            # No external id found - let's hope the given id exists internally
+            pass
+
         obj = self.model.objects.get(
             id=id,
             deleted__isnull=True,

api/utils/serializer/v1/compensation.py

@@ -88,6 +88,11 @@ class CompensationAPISerializerV1(AbstractModelAPISerializerV1, AbstractCompensa
             # Nothing to do here
             return obj
 
+        # Transform a potential external identifier into an internal one
+        intervention_ext_id = self._get_external_identifier(intervention_id)
+        if intervention_ext_id:
+            intervention_id = intervention_ext_id.internal_id
+
         intervention = Intervention.objects.get(
             id=intervention_id,
         )
@@ -114,6 +119,10 @@ class CompensationAPISerializerV1(AbstractModelAPISerializerV1, AbstractCompensa
 
             # Fill in data to objects
             properties = json_model["properties"]
+
+            external_identifier = properties.get("external_identifier", None)
+            self._check_external_identifier_on_entry_creation(external_identifier)
+
             obj.identifier = obj.generate_new_identifier()
             obj.title = properties["title"]
             obj.is_cef = properties["is_cef"]
@@ -129,6 +138,7 @@ class CompensationAPISerializerV1(AbstractModelAPISerializerV1, AbstractCompensa
             obj = self._set_compensation_states(obj, properties["after_states"], obj.after_states)
             obj = self._set_deadlines(obj, properties["deadlines"])
 
+        self._set_external_identifier(obj.id, properties.get("external_identifier", None), obj.created)
         obj.log.add(obj.created)
 
         celery_update_parcels.delay(obj.geometry.id)
@@ -170,6 +180,7 @@ class CompensationAPISerializerV1(AbstractModelAPISerializerV1, AbstractCompensa
             obj = self._set_compensation_states(obj, properties["after_states"], obj.after_states)
             obj = self._set_deadlines(obj, properties["deadlines"])
 
+        self._set_external_identifier(obj.id, properties.get("external_identifier", None), update_action)
         obj.log.add(update_action)
 
         celery_update_parcels.delay(obj.geometry.id)

api/utils/serializer/v1/deduction.py

@@ -62,6 +62,14 @@ class DeductionAPISerializerV1(AbstractModelAPISerializerV1,
         if surface <= 0:
             raise ValueError("Surface must be > 0 m²")
 
+        # Check if external identifiers need to be mapped onto internal ones
+        acc_ext_id = self._get_external_identifier(acc_id)
+        intervention_ext_id = self._get_external_identifier(intervention_id)
+        if acc_ext_id:
+            acc_id = acc_ext_id.internal_id
+        if intervention_ext_id:
+            intervention_id = intervention_ext_id.internal_id
+
         acc = EcoAccount.objects.get(
             id=acc_id,
             deleted__isnull=True,

api/utils/serializer/v1/ecoaccount.py

@@ -121,7 +121,9 @@ class EcoAccountAPISerializerV1(AbstractModelAPISerializerV1,
             obj = self._initialize_objects(json_model, user)
 
             # Fill in data to objects
-            properties = json_model["properties"]
+            properties = json_model.get("properties", None)
+            if not properties:
+                raise AssertionError("No 'properties' found in payload!")
             obj.identifier = obj.generate_new_identifier()
             obj.title = properties["title"]
             obj.is_pik = properties.get("is_pik", False)
@@ -147,6 +149,7 @@ class EcoAccountAPISerializerV1(AbstractModelAPISerializerV1,
             obj = self._set_compensation_states(obj, properties["after_states"], obj.after_states)
             obj = self._set_deadlines(obj, properties["deadlines"])
 
+        self._set_external_identifier(obj.id, properties.get("external_identifier", None), obj.created)
         obj.log.add(obj.created)
         obj.users.add(user)
 
@@ -172,6 +175,10 @@ class EcoAccountAPISerializerV1(AbstractModelAPISerializerV1,
 
             # Fill in data to objects
             properties = json_model["properties"]
+
+            external_identifier = properties.get("external_identifier", None)
+            self._check_external_identifier_on_entry_creation(external_identifier)
+
             obj.title = properties["title"]
             obj.is_pik = properties.get("is_pik", False)
             obj.deductable_surface = float(properties["deductable_surface"])
@@ -192,6 +199,7 @@ class EcoAccountAPISerializerV1(AbstractModelAPISerializerV1,
             obj = self._set_compensation_states(obj, properties["after_states"], obj.after_states)
             obj = self._set_deadlines(obj, properties["deadlines"])
 
+        self._set_external_identifier(obj.id, external_identifier, update_action)
         obj.log.add(update_action)
 
         celery_update_parcels.delay(obj.geometry.id)

api/utils/serializer/v1/ema.py

@@ -104,6 +104,10 @@ class EmaAPISerializerV1(AbstractModelAPISerializerV1, AbstractCompensationAPISe
 
             # Fill in data to objects
             properties = json_model["properties"]
+
+            external_identifier = properties.get("external_identifier", None)
+            self._check_external_identifier_on_entry_creation(external_identifier)
+
             obj.identifier = obj.generate_new_identifier()
             obj.title = properties["title"]
             obj.is_pik = properties.get("is_pik", False)
@@ -119,6 +123,7 @@ class EmaAPISerializerV1(AbstractModelAPISerializerV1, AbstractCompensationAPISe
             obj = self._set_compensation_states(obj, properties["after_states"], obj.after_states)
             obj = self._set_deadlines(obj, properties["deadlines"])
 
+        self._set_external_identifier(obj.id, external_identifier, obj.created)
         obj.log.add(obj.created)
         obj.users.add(user)
 
@@ -161,6 +166,7 @@ class EmaAPISerializerV1(AbstractModelAPISerializerV1, AbstractCompensationAPISe
             obj = self._set_compensation_states(obj, properties["after_states"], obj.after_states)
             obj = self._set_deadlines(obj, properties["deadlines"])
 
+        self._set_external_identifier(obj.id, properties.get("external_identifier", None), update_action)
         obj.log.add(update_action)
 
         celery_update_parcels.delay(obj.geometry.id)

api/utils/serializer/v1/intervention.py

@@ -150,10 +150,14 @@ class InterventionAPISerializerV1(AbstractModelAPISerializerV1,
 
             # Fill in data to objects
             properties = json_model["properties"]
+
+            external_identifier = properties.get("external_identifier", None)
+            self._check_external_identifier_on_entry_creation(external_identifier)
+
             obj.identifier = obj.generate_new_identifier()
-            obj.title = properties["title"]
+            obj.title = properties.get("title", None)
-            self._set_responsibility(obj, properties["responsible"])
+            self._set_responsibility(obj, properties.get("responsible", None))
-            self._set_legal(obj, properties["legal"])
+            self._set_legal(obj, properties.get("legal", None))
 
             obj.responsible.handler.save()
             obj.responsible.save()
@@ -161,6 +165,7 @@ class InterventionAPISerializerV1(AbstractModelAPISerializerV1,
             obj.legal.save()
             obj.save()
 
+        self._set_external_identifier(obj.id, external_identifier, obj.created)
         obj.users.add(user)
         obj.log.add(obj.created)
 
@@ -186,7 +191,7 @@ class InterventionAPISerializerV1(AbstractModelAPISerializerV1,
 
             # Fill in data to objects
             properties = json_model["properties"]
-            obj.title = properties["title"]
+            obj.title = properties.get("title")
             self._set_responsibility(obj, properties.get("responsible", None))
             self._set_legal(obj, properties.get("legal", None))
             self._set_payments(obj, properties.get("payments", None))
@@ -200,6 +205,7 @@ class InterventionAPISerializerV1(AbstractModelAPISerializerV1,
             obj.save()
 
         obj.mark_as_edited(user, edit_comment="API update")
+        self._set_external_identifier(obj.id, properties.get("external_identifier", None), update_action)
         obj.send_data_to_egon()
 
         celery_update_parcels.delay(obj.geometry.id)

api/utils/serializer/v1/serializer.py

@@ -12,6 +12,7 @@ from django.contrib.gis.geos import MultiPolygon
 from django.core.exceptions import ObjectDoesNotExist
 from django.db.models import QuerySet
 
+from api.models import ExternalIdentifier
 from api.utils.serializer.serializer import AbstractModelAPISerializer
 from codelist.models import KonovaCode
 from codelist.settings import CODELIST_COMPENSATION_ACTION_ID, CODELIST_BIOTOPES_ID, CODELIST_PROCESS_TYPE_ID, \
@@ -39,12 +40,20 @@ class AbstractModelAPISerializerV1(AbstractModelAPISerializer):
         else:
             geom = MultiPolygon().geojson
         geo_json = json.loads(geom)
+        ext_ids = list(
+            ExternalIdentifier.objects.filter(
+                internal_id=entry.id
+            ).values_list(
+                "external_id", flat=True
+            )
+        )
         self.properties_data = {
             "id": entry.id,
             "identifier": entry.identifier,
             "title": entry.title,
             "created_on": self._created_on_to_json(entry),
             "modified_on": self._modified_on_to_json(entry),
+            "external_identifiers": ext_ids,
         }
         self._extend_properties_data(entry)
         geo_json["properties"] = self.properties_data
@@ -137,6 +146,57 @@ class AbstractModelAPISerializerV1(AbstractModelAPISerializer):
         success = entry.deleted is not None
         return success
 
+    def _set_external_identifier(self, internal_identifier, external_identifier, log_entry):
+        """ If an external identifier was provided in the payload, we set it
+        in the database
+
+        Args:
+            internal_identifier (BaseObject): The already processed konova object (EIV, KOM, ...)
+            external_identifier (any): The external identifier taken from the payload
+
+        Returns:
+
+        """
+        if external_identifier is None:
+            return None
+
+        ext_id_obj = ExternalIdentifier.objects.get_or_create(
+            internal_id=internal_identifier,
+            external_id=external_identifier
+        )[0]
+        if not ext_id_obj.created:
+            ext_id_obj.created = log_entry
+            ext_id_obj.save()
+
+        return ext_id_obj
+
+    def _get_external_identifier(self, external_identifier):
+        """ Checks whether a linkage based on an external identifier already exists and returns it if so.
+
+        Args:
+            external_identifier (any): The external identifier according to payload
+
+        Returns:
+            ExternalIdentifier | None
+        """
+        return ExternalIdentifier.resolve_external_identifier(external_identifier)
+
+    def _check_external_identifier_on_entry_creation(self, external_identifier):
+        """ Special check for POST processing:
+        Checks whether an external identifier already exists on the database. This hints that
+        the entry already has been created in the past. Instead of POST, the PUT method shall be used
+        to avoid creating duplicates.
+
+        Args:
+            external_identifier (any): The external identifier according to payload
+
+        Returns:
+
+        """
+        persisted_external_identifier = self._get_external_identifier(external_identifier)
+        if persisted_external_identifier:
+            raise AssertionError(f"{external_identifier} has already been initially created! Use PUT for updates!")
+
 
 class DeductableAPISerializerV1Mixin:
     class Meta:

api/views/views.py

@@ -6,13 +6,14 @@ Created on: 21.01.22
 
 """
 import json
+import uuid
 
-from django.db.models import QuerySet
+from django.db.models import QuerySet, Q
 from django.http import JsonResponse, HttpRequest
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 
-from api.models import APIUserToken
+from api.models import APIUserToken, ExternalIdentifier
 from api.settings import KSP_TOKEN_HEADER_IDENTIFIER, KSP_USER_HEADER_IDENTIFIER
 from compensation.models import EcoAccount
 from ema.models import Ema
@@ -205,6 +206,10 @@ class AbstractModelShareAPIView(AbstractAPIView):
 
         """
         try:
+            external_identifier = ExternalIdentifier.resolve_external_identifier(id)
+            if external_identifier:
+                id = external_identifier.internal_id
+
             users = self._get_shared_users_of_object(id)
             teams = self._get_shared_teams_of_object(id)
         except Exception as e:
@@ -237,6 +242,9 @@ class AbstractModelShareAPIView(AbstractAPIView):
         """
 
         try:
+            external_identifier = ExternalIdentifier.resolve_external_identifier(id)
+            if external_identifier:
+                id = external_identifier.internal_id
             success = self._process_put_body(request.body, id)
         except Exception as e:
             return self._return_error_response(e)
@@ -309,22 +317,36 @@ class AbstractModelShareAPIView(AbstractAPIView):
             raise ValueError("Shared user list must not be empty!")
         new_teams = content.get("teams", [])
 
+        self.__process_user_sharing(new_users, obj)
+        self.__process_team_sharing(new_teams, obj)
+
+        return True
+
+    def __process_user_sharing(self, user_list: list, obj):
+        """ Processes API sharing for user payload
+
+        Args:
+            user_list (list): A list of users to share the obj with
+            obj (BaseObject): The shareable object
+
+        Returns:
+
+        """
         # Eliminate duplicates
-        new_users = list(dict.fromkeys(new_users))
+        new_users = list(dict.fromkeys(user_list))
-        new_teams = list(dict.fromkeys(new_teams))
 
         # Make sure each of these names exist as a user
         new_users_objs = []
         for user in new_users:
-            new_users_objs.append(User.objects.get(username=user))
+            try:
-
+                user_obj = User.objects.get(username=user)
-        # Make sure each of these names exist as a user
+            except User.DoesNotExist:
-        new_teams_objs = []
+                raise AssertionError(f"User with username {user} does not exist")
-        for team_name in new_teams:
+            new_users_objs.append(user_obj)
-            new_teams_objs.append(Team.objects.get(name=team_name))
 
         if self.user.is_default_group_only():
             # Default only users are not allowed to remove other users from having access. They can only add new ones!
+            # So we need to keep the ones that already have access from being removed!
             new_users_to_be_added = User.objects.filter(
                 username__in=new_users
             ).exclude(
@@ -332,17 +354,44 @@ class AbstractModelShareAPIView(AbstractAPIView):
             )
             new_users_objs = obj.shared_users.union(new_users_to_be_added)
 
-            new_teams_to_be_added = Team.objects.filter(
-                name__in=new_teams
-            ).exclude(
-                id__in=obj.shared_teams
-            )
-            new_teams_objs = obj.shared_teams.union(new_teams_to_be_added)
-
         obj.share_with_user_list(new_users_objs)
-        obj.share_with_team_list(new_teams_objs)
-        return True
 
+    def __process_team_sharing(self, team_list: list, obj):
+        """ Processes API sharing for team payload
+
+        Args:
+            team_list (list): A list of teams to share the obj with
+            obj (BaseObject): The shareable object
+
+        Returns:
+
+        """
+        # Eliminate duplicates
+        new_teams = list(dict.fromkeys(team_list))
+
+        # Resolve team names or ids into objects
+        new_team_ids = []
+        for team in new_teams:
+            try:
+                uuid.UUID(team)
+                try:
+                    new_team_ids.append(Team.objects.get(id=team).id)
+                except Team.DoesNotExist:
+                    raise AssertionError(f"Team with id {team} does not exist!")
+            except ValueError:
+                # entry is a name and not a uuid -> try to resolve as name!
+                try:
+                    new_team_ids.append(Team.objects.get(name=team).id)
+                except Team.DoesNotExist:
+                    raise AssertionError(f"Team with name {team} does not exist!")
+
+        new_team_objs = Team.objects.filter(id__in=new_team_ids)
+        if self.user.is_default_group_only():
+            # Default only users are not allowed to remove other users from having access. They can only add new ones!
+            # So we need to keep the ones that already have access from being removed!
+            new_team_objs = obj.shared_teams.union(new_team_objs)
+
+        obj.share_with_team_list(new_team_objs)
 
 class InterventionAPIShareView(AbstractModelShareAPIView):
     model = Intervention

intervention/tests/test_views.py

@@ -36,6 +36,7 @@ class InterventionViewTestCase(BaseViewTestCase):
         self.run_check_url = reverse("intervention:check", args=(self.intervention.id,))
         self.record_url = reverse("intervention:record", args=(self.intervention.id,))
         self.report_url = reverse("intervention:report", args=(self.intervention.id,))
+        self.compensation_remove_url = reverse("intervention:remove-compensation", args=(self.compensation.intervention.id, self.compensation.id))
 
         self.deduction.intervention = self.intervention
         self.deduction.save()
@@ -83,6 +84,7 @@ class InterventionViewTestCase(BaseViewTestCase):
             self.revocation_new_url: f"{login_redirect_base}{self.revocation_new_url}",
             self.revocation_edit_url: f"{login_redirect_base}{self.revocation_edit_url}",
             self.revocation_remove_url: f"{login_redirect_base}{self.revocation_remove_url}",
+            self.compensation_remove_url: f"{login_redirect_base}{self.compensation_remove_url}",
         }
 
         self.assert_url_success(client, success_urls)
@@ -124,6 +126,7 @@ class InterventionViewTestCase(BaseViewTestCase):
             self.deduction_new_url,
             self.deduction_edit_url,
             self.deduction_remove_url,
+            self.compensation_remove_url,
         ]
 
         self.assert_url_success(client, success_urls)
@@ -162,6 +165,7 @@ class InterventionViewTestCase(BaseViewTestCase):
             self.deduction_new_url,
             self.deduction_edit_url,
             self.deduction_remove_url,
+            self.compensation_remove_url,
         ]
         fail_urls = [
             self.run_check_url,
@@ -212,6 +216,7 @@ class InterventionViewTestCase(BaseViewTestCase):
             self.deduction_new_url,
             self.deduction_edit_url,
             self.deduction_remove_url,
+            self.compensation_remove_url,
         ]
         success_urls_redirect = {
             self.share_url: self.detail_url
@@ -258,6 +263,7 @@ class InterventionViewTestCase(BaseViewTestCase):
             self.deduction_new_url,
             self.deduction_edit_url,
             self.deduction_remove_url,
+            self.compensation_remove_url,
         ]
         success_urls_redirect = {
             self.share_url: self.detail_url
@@ -304,6 +310,7 @@ class InterventionViewTestCase(BaseViewTestCase):
             self.deduction_new_url,
             self.deduction_edit_url,
             self.deduction_remove_url,
+            self.compensation_remove_url,
         ]
         success_urls_redirect = {
             self.share_url: self.detail_url
@@ -350,6 +357,7 @@ class InterventionViewTestCase(BaseViewTestCase):
             self.deduction_new_url,
             self.deduction_edit_url,
             self.deduction_remove_url,
+            self.compensation_remove_url,
         ]
         success_urls_redirect = {
             self.share_url: self.detail_url
@@ -396,6 +404,7 @@ class InterventionViewTestCase(BaseViewTestCase):
             self.deduction_new_url,
             self.deduction_edit_url,
             self.deduction_remove_url,
+            self.compensation_remove_url,
         ]
         # Define urls where a redirect to a specific location is the proper response
         success_urls_redirect = {

intervention/views/compensation.py

@@ -14,7 +14,7 @@ from django.utils.decorators import method_decorator
 from django.views import View
 
 from intervention.models import Intervention
-from konova.decorators import shared_access_required
+from konova.decorators import shared_access_required, default_group_required
 from konova.forms.modals import RemoveModalForm
 from konova.utils.message_templates import COMPENSATION_REMOVED_TEMPLATE
 
@@ -45,10 +45,12 @@ class RemoveCompensationFromInterventionView(LoginRequiredMixin, View):
             redirect_url=reverse("intervention:detail", args=(id,)) + "#related_data",
         )
 
+    @method_decorator(default_group_required)
     @method_decorator(shared_access_required(Intervention, "id"))
     def get(self, request, id: str, comp_id: str, *args, **kwargs) -> HttpResponse:
         return self.__process_request(request, id, comp_id, *args, **kwargs)
 
+    @method_decorator(default_group_required)
     @method_decorator(shared_access_required(Intervention, "id"))
     def post(self, request, id: str, comp_id: str, *args, **kwargs) -> HttpResponse:
         return self.__process_request(request, id, comp_id, *args, **kwargs)

konova/utils/generators.py

@@ -5,22 +5,18 @@ Contact: michel.peltriaux@sgdnord.rlp.de
 Created on: 09.11.20
 
 """
-import random
+import secrets
 import string
-import qrcode
-import qrcode.image.svg
-
-from io import BytesIO
 
 
-def generate_token() -> str:
+def generate_token(length: int = 64) -> str:
     """ Shortcut for default generating of e.g. API token
 
     Returns:
         token (str)
     """
     return generate_random_string(
-        length=64,
+        length=length,
         use_numbers=True,
         use_letters_lc=True
     )
@@ -39,7 +35,7 @@ def generate_random_string(length: int, use_numbers: bool = False, use_letters_l
         elements.append(string.ascii_uppercase)
 
     elements = "".join(elements)
-    ret_val = "".join(random.choice(elements) for i in range(length))
+    ret_val = "".join(secrets.choice(elements) for i in range(length))
     return ret_val
 
 class IdentifierGenerator:

konova/utils/qrcode.py

@@ -30,15 +30,17 @@ class QrCode:
         Returns:
             qrcode_svg (str): The qr code as svg
         """
-        img_factory = svg.SvgImage
+        qr = qrcode.QRCode(
-        qrcode_img = qrcode.make(
+            image_factory=qrcode.image.svg.SvgPathImage,
-            content,
-            image_factory=img_factory,
             box_size=size
         )
-        stream = BytesIO()
+        qr.add_data(content)
-        qrcode_img.save(stream)
+        qr.make(
-        return stream.getvalue().decode()
+            fit=True
+        )
+
+        img = qr.make_image()
+        return img.to_string(encoding="unicode")
 
     def get_img(self):
         return self._img

requirements.txt

@@ -4,62 +4,62 @@ async-timeout==5.0.1
 beautifulsoup4==4.14.3
 billiard==4.2.4
 cached-property==2.0.1
-celery==5.6.2
+celery==5.6.3
-certifi==2026.2.25
+certifi==2026.4.22
 cffi==2.0.0
-chardet==6.0.0.post1
+chardet==7.4.3
-charset-normalizer==3.4.4
+charset-normalizer==3.4.7
-click==8.3.1
+click==8.3.3
 click-didyoumean==0.3.1
 click-plugins==1.1.1.2
 click-repl==0.3.0
-coverage==7.13.4
+coverage==7.13.5
-cryptography==46.0.5
+cryptography==48.0.0
 Deprecated==1.3.1
-Django==6.0.2
+Django==6.0.5
-django-autocomplete-light==3.12.1
+django-autocomplete-light==4.0.0
 django-bootstrap-modal-forms==3.0.5
 django-bootstrap4==26.1
 django-environ==0.13.0
 django-filter==25.2
 django-fontawesome-5==1.0.18
 django-oauth-toolkit==3.2.0
-django-tables2==2.8.0
+django-tables2==3.0.0
 et_xmlfile==2.0.0
-gunicorn==25.1.0
+gunicorn==26.0.0
-idna==3.11
+idna==3.13
-importlib_metadata==8.7.1
+importlib_metadata==9.0.0
 itsdangerous==2.2.0
-jwcrypto==1.5.6
+jwcrypto==1.5.7
 kombu==5.6.2
 oauthlib==3.3.1
 openpyxl==3.2.0b1
-packaging==26.0
+packaging==26.2
-pika==1.3.2
+pika==1.4.0
-pillow==12.1.1
+pillow==12.2.0
 prompt_toolkit==3.0.52
-psycopg==3.3.3
+psycopg==3.3.4
-psycopg-binary==3.3.3
+psycopg-binary==3.3.4
 pycparser==3.0
 pyparsing==3.3.2
 pypng==0.20220715.0
 pyproj==3.7.2
 python-dateutil==2.9.0.post0
-pytz==2025.2
+pytz==2026.2
 PyYAML==6.0.3
 qrcode==8.2
-redis==7.2.1
+redis==7.4.0
-requests==2.32.5
+requests==2.33.1
 six==1.17.0
 soupsieve==2.8.3
 sqlparse==0.5.5
 typing_extensions==4.15.0
-tzdata==2025.3
+tzdata==2026.2
 tzlocal==5.3.1
-urllib3==2.6.3
+urllib3==2.7.0
 vine==5.1.0
-wcwidth==0.6.0
+wcwidth==0.7.0
 webservices==0.7
-wrapt==2.1.1
+wrapt==2.1.2
 xmltodict==1.0.4
-zipp==3.23.0
+zipp==3.23.1

templates/generic_index.html

@@ -70,7 +70,7 @@
                         </div>
                         <div class="dropdown-menu dropdown-menu-right">
                             {% for rpp_option in table.results_per_page_choices %}
-                                <a class="dropdown-item {% if table.results_per_page_chosen == rpp_option %}selected{% endif %}" href="{% querystring table.results_per_page_parameter=rpp_option %}">
+                                <a class="dropdown-item {% if table.results_per_page_chosen == rpp_option %}selected{% endif %}" href="{% querystring %}&{{ table.results_per_page_parameter}}={{rpp_option }}">
                                     {{ rpp_option }}
                                 </a>
                             {% endfor %}

templates/map/client/libs/jspdf/1.3.2/jspdf.debug.js

@@ -9615,212 +9615,212 @@ Copyright (c) 2012 Willow Systems Corporation, willow-systems.com
     };
 })(jsPDF.API);
 
-/* Blob.js
+/* Blob.js
- * A Blob implementation.
+ * A Blob implementation.
- * 2014-07-24
+ * 2014-07-24
- *
+ *
- * By Eli Grey, http://eligrey.com
+ * By Eli Grey, http://eligrey.com
- * By Devin Samarin, https://github.com/dsamarin
+ * By Devin Samarin, https://github.com/dsamarin
- * License: X11/MIT
+ * License: X11/MIT
- *   See https://github.com/eligrey/Blob.js/blob/master/LICENSE.md
+ *   See https://github.com/eligrey/Blob.js/blob/master/LICENSE.md
- */
+ */
-
+
-/*global self, unescape */
+/*global self, unescape */
-/*jslint bitwise: true, regexp: true, confusion: true, es5: true, vars: true, white: true,
+/*jslint bitwise: true, regexp: true, confusion: true, es5: true, vars: true, white: true,
-  plusplus: true */
+  plusplus: true */
-
+
-/*! @source http://purl.eligrey.com/github/Blob.js/blob/master/Blob.js */
+/*! @source http://purl.eligrey.com/github/Blob.js/blob/master/Blob.js */
-
+
-(function (view) {
+(function (view) {
-	"use strict";
+	"use strict";
-
+
-	view.URL = view.URL || view.webkitURL;
+	view.URL = view.URL || view.webkitURL;
-
+
-	if (view.Blob && view.URL) {
+	if (view.Blob && view.URL) {
-		try {
+		try {
-			new Blob;
+			new Blob;
-			return;
+			return;
-		} catch (e) {}
+		} catch (e) {}
-	}
+	}
-
+
-	// Internally we use a BlobBuilder implementation to base Blob off of
+	// Internally we use a BlobBuilder implementation to base Blob off of
-	// in order to support older browsers that only have BlobBuilder
+	// in order to support older browsers that only have BlobBuilder
-	var BlobBuilder = view.BlobBuilder || view.WebKitBlobBuilder || view.MozBlobBuilder || (function(view) {
+	var BlobBuilder = view.BlobBuilder || view.WebKitBlobBuilder || view.MozBlobBuilder || (function(view) {
-		var
+		var
-			  get_class = function(object) {
+			  get_class = function(object) {
-				return Object.prototype.toString.call(object).match(/^\[object\s(.*)\]$/)[1];
+				return Object.prototype.toString.call(object).match(/^\[object\s(.*)\]$/)[1];
-			}
+			}
-			, FakeBlobBuilder = function BlobBuilder() {
+			, FakeBlobBuilder = function BlobBuilder() {
-				this.data = [];
+				this.data = [];
-			}
+			}
-			, FakeBlob = function Blob(data, type, encoding) {
+			, FakeBlob = function Blob(data, type, encoding) {
-				this.data = data;
+				this.data = data;
-				this.size = data.length;
+				this.size = data.length;
-				this.type = type;
+				this.type = type;
-				this.encoding = encoding;
+				this.encoding = encoding;
-			}
+			}
-			, FBB_proto = FakeBlobBuilder.prototype
+			, FBB_proto = FakeBlobBuilder.prototype
-			, FB_proto = FakeBlob.prototype
+			, FB_proto = FakeBlob.prototype
-			, FileReaderSync = view.FileReaderSync
+			, FileReaderSync = view.FileReaderSync
-			, FileException = function(type) {
+			, FileException = function(type) {
-				this.code = this[this.name = type];
+				this.code = this[this.name = type];
-			}
+			}
-			, file_ex_codes = (
+			, file_ex_codes = (
-				  "NOT_FOUND_ERR SECURITY_ERR ABORT_ERR NOT_READABLE_ERR ENCODING_ERR "
+				  "NOT_FOUND_ERR SECURITY_ERR ABORT_ERR NOT_READABLE_ERR ENCODING_ERR "
-				+ "NO_MODIFICATION_ALLOWED_ERR INVALID_STATE_ERR SYNTAX_ERR"
+				+ "NO_MODIFICATION_ALLOWED_ERR INVALID_STATE_ERR SYNTAX_ERR"
-			).split(" ")
+			).split(" ")
-			, file_ex_code = file_ex_codes.length
+			, file_ex_code = file_ex_codes.length
-			, real_URL = view.URL || view.webkitURL || view
+			, real_URL = view.URL || view.webkitURL || view
-			, real_create_object_URL = real_URL.createObjectURL
+			, real_create_object_URL = real_URL.createObjectURL
-			, real_revoke_object_URL = real_URL.revokeObjectURL
+			, real_revoke_object_URL = real_URL.revokeObjectURL
-			, URL = real_URL
+			, URL = real_URL
-			, btoa = view.btoa
+			, btoa = view.btoa
-			, atob = view.atob
+			, atob = view.atob
-
+
-			, ArrayBuffer = view.ArrayBuffer
+			, ArrayBuffer = view.ArrayBuffer
-			, Uint8Array = view.Uint8Array
+			, Uint8Array = view.Uint8Array
-
+
-			, origin = /^[\w-]+:\/*\[?[\w\.:-]+\]?(?::[0-9]+)?/;
+			, origin = /^[\w-]+:\/*\[?[\w\.:-]+\]?(?::[0-9]+)?/;
-		FakeBlob.fake = FB_proto.fake = true;
+		FakeBlob.fake = FB_proto.fake = true;
-		while (file_ex_code--) {
+		while (file_ex_code--) {
-			FileException.prototype[file_ex_codes[file_ex_code]] = file_ex_code + 1;
+			FileException.prototype[file_ex_codes[file_ex_code]] = file_ex_code + 1;
-		}
+		}
-		// Polyfill URL
+		// Polyfill URL
-		if (!real_URL.createObjectURL) {
+		if (!real_URL.createObjectURL) {
-			URL = view.URL = function(uri) {
+			URL = view.URL = function(uri) {
-				var
+				var
-					  uri_info = document.createElementNS("http://www.w3.org/1999/xhtml", "a")
+					  uri_info = document.createElementNS("http://www.w3.org/1999/xhtml", "a")
-					, uri_origin;
+					, uri_origin;
-				uri_info.href = uri;
+				uri_info.href = uri;
-				if (!("origin" in uri_info)) {
+				if (!("origin" in uri_info)) {
-					if (uri_info.protocol.toLowerCase() === "data:") {
+					if (uri_info.protocol.toLowerCase() === "data:") {
-						uri_info.origin = null;
+						uri_info.origin = null;
-					} else {
+					} else {
-						uri_origin = uri.match(origin);
+						uri_origin = uri.match(origin);
-						uri_info.origin = uri_origin && uri_origin[1];
+						uri_info.origin = uri_origin && uri_origin[1];
-					}
+					}
-				}
+				}
-				return uri_info;
+				return uri_info;
-			};
+			};
-		}
+		}
-		URL.createObjectURL = function(blob) {
+		URL.createObjectURL = function(blob) {
-			var
+			var
-				  type = blob.type
+				  type = blob.type
-				, data_URI_header;
+				, data_URI_header;
-			if (type === null) {
+			if (type === null) {
-				type = "application/octet-stream";
+				type = "application/octet-stream";
-			}
+			}
-			if (blob instanceof FakeBlob) {
+			if (blob instanceof FakeBlob) {
-				data_URI_header = "data:" + type;
+				data_URI_header = "data:" + type;
-				if (blob.encoding === "base64") {
+				if (blob.encoding === "base64") {
-					return data_URI_header + ";base64," + blob.data;
+					return data_URI_header + ";base64," + blob.data;
-				} else if (blob.encoding === "URI") {
+				} else if (blob.encoding === "URI") {
-					return data_URI_header + "," + decodeURIComponent(blob.data);
+					return data_URI_header + "," + decodeURIComponent(blob.data);
-				} if (btoa) {
+				} if (btoa) {
-					return data_URI_header + ";base64," + btoa(blob.data);
+					return data_URI_header + ";base64," + btoa(blob.data);
-				} else {
+				} else {
-					return data_URI_header + "," + encodeURIComponent(blob.data);
+					return data_URI_header + "," + encodeURIComponent(blob.data);
-				}
+				}
-			} else if (real_create_object_URL) {
+			} else if (real_create_object_URL) {
-				return real_create_object_URL.call(real_URL, blob);
+				return real_create_object_URL.call(real_URL, blob);
-			}
+			}
-		};
+		};
-		URL.revokeObjectURL = function(object_URL) {
+		URL.revokeObjectURL = function(object_URL) {
-			if (object_URL.substring(0, 5) !== "data:" && real_revoke_object_URL) {
+			if (object_URL.substring(0, 5) !== "data:" && real_revoke_object_URL) {
-				real_revoke_object_URL.call(real_URL, object_URL);
+				real_revoke_object_URL.call(real_URL, object_URL);
-			}
+			}
-		};
+		};
-		FBB_proto.append = function(data/*, endings*/) {
+		FBB_proto.append = function(data/*, endings*/) {
-			var bb = this.data;
+			var bb = this.data;
-			// decode data to a binary string
+			// decode data to a binary string
-			if (Uint8Array && (data instanceof ArrayBuffer || data instanceof Uint8Array)) {
+			if (Uint8Array && (data instanceof ArrayBuffer || data instanceof Uint8Array)) {
-				var
+				var
-					  str = ""
+					  str = ""
-					, buf = new Uint8Array(data)
+					, buf = new Uint8Array(data)
-					, i = 0
+					, i = 0
-					, buf_len = buf.length;
+					, buf_len = buf.length;
-				for (; i < buf_len; i++) {
+				for (; i < buf_len; i++) {
-					str += String.fromCharCode(buf[i]);
+					str += String.fromCharCode(buf[i]);
-				}
+				}
-				bb.push(str);
+				bb.push(str);
-			} else if (get_class(data) === "Blob" || get_class(data) === "File") {
+			} else if (get_class(data) === "Blob" || get_class(data) === "File") {
-				if (FileReaderSync) {
+				if (FileReaderSync) {
-					var fr = new FileReaderSync;
+					var fr = new FileReaderSync;
-					bb.push(fr.readAsBinaryString(data));
+					bb.push(fr.readAsBinaryString(data));
-				} else {
+				} else {
-					// async FileReader won't work as BlobBuilder is sync
+					// async FileReader won't work as BlobBuilder is sync
-					throw new FileException("NOT_READABLE_ERR");
+					throw new FileException("NOT_READABLE_ERR");
-				}
+				}
-			} else if (data instanceof FakeBlob) {
+			} else if (data instanceof FakeBlob) {
-				if (data.encoding === "base64" && atob) {
+				if (data.encoding === "base64" && atob) {
-					bb.push(atob(data.data));
+					bb.push(atob(data.data));
-				} else if (data.encoding === "URI") {
+				} else if (data.encoding === "URI") {
-					bb.push(decodeURIComponent(data.data));
+					bb.push(decodeURIComponent(data.data));
-				} else if (data.encoding === "raw") {
+				} else if (data.encoding === "raw") {
-					bb.push(data.data);
+					bb.push(data.data);
-				}
+				}
-			} else {
+			} else {
-				if (typeof data !== "string") {
+				if (typeof data !== "string") {
-					data += ""; // convert unsupported types to strings
+					data += ""; // convert unsupported types to strings
-				}
+				}
-				// decode UTF-16 to binary string
+				// decode UTF-16 to binary string
-				bb.push(unescape(encodeURIComponent(data)));
+				bb.push(unescape(encodeURIComponent(data)));
-			}
+			}
-		};
+		};
-		FBB_proto.getBlob = function(type) {
+		FBB_proto.getBlob = function(type) {
-			if (!arguments.length) {
+			if (!arguments.length) {
-				type = null;
+				type = null;
-			}
+			}
-			return new FakeBlob(this.data.join(""), type, "raw");
+			return new FakeBlob(this.data.join(""), type, "raw");
-		};
+		};
-		FBB_proto.toString = function() {
+		FBB_proto.toString = function() {
-			return "[object BlobBuilder]";
+			return "[object BlobBuilder]";
-		};
+		};
-		FB_proto.slice = function(start, end, type) {
+		FB_proto.slice = function(start, end, type) {
-			var args = arguments.length;
+			var args = arguments.length;
-			if (args < 3) {
+			if (args < 3) {
-				type = null;
+				type = null;
-			}
+			}
-			return new FakeBlob(
+			return new FakeBlob(
-				  this.data.slice(start, args > 1 ? end : this.data.length)
+				  this.data.slice(start, args > 1 ? end : this.data.length)
-				, type
+				, type
-				, this.encoding
+				, this.encoding
-			);
+			);
-		};
+		};
-		FB_proto.toString = function() {
+		FB_proto.toString = function() {
-			return "[object Blob]";
+			return "[object Blob]";
-		};
+		};
-		FB_proto.close = function() {
+		FB_proto.close = function() {
-			this.size = 0;
+			this.size = 0;
-			delete this.data;
+			delete this.data;
-		};
+		};
-		return FakeBlobBuilder;
+		return FakeBlobBuilder;
-	}(view));
+	}(view));
-
+
-	view.Blob = function(blobParts, options) {
+	view.Blob = function(blobParts, options) {
-		var type = options ? (options.type || "") : "";
+		var type = options ? (options.type || "") : "";
-		var builder = new BlobBuilder();
+		var builder = new BlobBuilder();
-		if (blobParts) {
+		if (blobParts) {
-			for (var i = 0, len = blobParts.length; i < len; i++) {
+			for (var i = 0, len = blobParts.length; i < len; i++) {
-				if (Uint8Array && blobParts[i] instanceof Uint8Array) {
+				if (Uint8Array && blobParts[i] instanceof Uint8Array) {
-					builder.append(blobParts[i].buffer);
+					builder.append(blobParts[i].buffer);
-				}
+				}
-				else {
+				else {
-					builder.append(blobParts[i]);
+					builder.append(blobParts[i]);
-				}
+				}
-			}
+			}
-		}
+		}
-		var blob = builder.getBlob(type);
+		var blob = builder.getBlob(type);
-		if (!blob.slice && blob.webkitSlice) {
+		if (!blob.slice && blob.webkitSlice) {
-			blob.slice = blob.webkitSlice;
+			blob.slice = blob.webkitSlice;
-		}
+		}
-		return blob;
+		return blob;
-	};
+	};
-
+
-	var getPrototypeOf = Object.getPrototypeOf || function(object) {
+	var getPrototypeOf = Object.getPrototypeOf || function(object) {
-		return object.__proto__;
+		return object.__proto__;
-	};
+	};
-	view.Blob.prototype = getPrototypeOf(new view.Blob());
+	view.Blob.prototype = getPrototypeOf(new view.Blob());
 }(typeof self !== "undefined" && self || typeof window !== "undefined" && window || undefined.content || undefined));
 
 /* FileSaver.js

user/views/propagate.py

@@ -7,9 +7,10 @@ Created on: 10.05.24
 """
 import base64
 import hashlib
+import http
 import json
 
-from cryptography.fernet import Fernet
+from cryptography.fernet import Fernet, InvalidToken
 from django.core.exceptions import ObjectDoesNotExist
 from django.http import HttpRequest, JsonResponse
 from django.utils.decorators import method_decorator
@@ -27,34 +28,77 @@ class PropagateUserView(View):
     proper rights management)
 
     """
+    class PropagateStatus:
+        UNPROCESSED = "unprocessed"
+        UPDATED = "updated"
+        CREATED = "created"
 
     @method_decorator(csrf_exempt)
     def dispatch(self, request, *args, **kwargs):
         return super().dispatch(request, *args, **kwargs)
 
     def post(self, request: HttpRequest, *args, **kwargs):
+        response_data = {
+            "success": None,
+            "status": None
+        }
+
         # Decrypt
         encrypted_body = request.body
         _hash = hashlib.md5()
         _hash.update(PROPAGATION_SECRET.encode("utf-8"))
         key = base64.urlsafe_b64encode(_hash.hexdigest().encode("utf-8"))
         fernet = Fernet(key)
-        body = fernet.decrypt(encrypted_body).decode("utf-8")
-        body = json.loads(body)
-
         try:
-            status = "updated"
+            body = fernet.decrypt(encrypted_body).decode("utf-8")
-            user = User.resolve_user_using_propagation_data(body)
+            body = json.loads(body)
-            user = user.update_user_using_propagation_data(body)
+        except InvalidToken:
-        except ObjectDoesNotExist:
+            response_data["error"] = "Invalid Token"
-            user = User(**body)
+            response_data["success"] = False
-            status = "created"
+            response_data["status"] = self.PropagateStatus.UNPROCESSED
+            return JsonResponse(
+                status=http.HTTPStatus.UNPROCESSABLE_CONTENT,
+                data=response_data
+            )
+        except (json.JSONDecodeError) as e:
+            response_data["error"] = str(e)
+            response_data["success"] = False
+            response_data["status"] = self.PropagateStatus.UNPROCESSED
+            return JsonResponse(
+                status=http.HTTPStatus.UNPROCESSABLE_CONTENT,
+                data=response_data
+            )
+
+        # Process decrypted user data
+        processing_ret_vals = self.__process_user_data(body)
+        response_data["success"] = processing_ret_vals[0]
+        response_data["status"] = processing_ret_vals[1]
+        user = processing_ret_vals[2]
+
         user.set_unusable_password()
         user.save()
 
-        data = {
+        return JsonResponse(
-            "success": True,
+            status=http.HTTPStatus.OK,
-            "status": status
+            data=response_data
-        }
+        )
 
-        return JsonResponse(data)
+    def __process_user_data(self, body: dict) -> (bool, str, User):
+        """ Process decrypted user data
+
+        Args:
+            body:
+
+        Returns:
+            success (bool): Whether the processing was successful
+            status (str): In which way the data was used ('created' | 'updated')
+            user (User): Processed user object
+        """
+        try:
+            user = User.resolve_user_using_propagation_data(body)
+            user = user.update_user_using_propagation_data(body)
+            status = self.PropagateStatus.UPDATED
+        except ObjectDoesNotExist:
+            user = User(**body)
+            status = self.PropagateStatus.CREATED
+        return True, status, user