Compare commits

...

9 Commits

Author SHA1 Message Date
mpeltriaux 28db96b081 Merge pull request '# Geometry conflicts on API' (#544) from 534_Return_geometry_conflicts_on_API into master
Reviewed-on: #544
2026-06-17 11:58:55 +02:00
mpeltriaux cf53e69d74 # Geometry conflicts on API
* refactors internal fetching of GeometryConflict data
* adds serializing of GeometryConflict entry data (identifier, id) to GET API calls
2026-06-17 11:57:19 +02:00
mpeltriaux 6f2b6c44d9 Merge pull request '541 security improvements' (#542) from 541_Security_improvements into master
Reviewed-on: #542
2026-06-13 13:42:46 +02:00
mpeltriaux 494e80a4ac # Intervention remove compensation
* adds default role check for intervention's compensation removing endpoint
2026-06-13 13:41:45 +02:00
mpeltriaux 1f6c81874b # User propagation
* adds exception catching if gibberish data is sent to POST endpoint of user data propagation
* commits 'changed' manage.py and jspdf.debug.js despite being identical with repo files (git wants it, git gets it)
2026-06-13 13:33:17 +02:00
mpeltriaux 9ee016a8bb # Token generator
* improves reliability of generated token randomness
2026-06-13 12:57:19 +02:00
mpeltriaux 93d29982a6 Merge pull request '538_API_share_with_ids' (#539) from 538_API_share_with_ids into master
Reviewed-on: #539
2026-05-14 13:04:59 +00:00
mpeltriaux 59a1bdfb1c # API team ID based sharing
* extents api sharing via team name with team id, so that both ways are supported now
* updates tests
2026-05-14 15:04:24 +02:00
mpeltriaux 056a92b068 # API Refactoring sharing
* refactors team and user sharing by splitting into more maintainable blocks of code
2026-05-14 13:58:26 +02:00
13 changed files with 453 additions and 286 deletions
+18
View File
@@ -31,3 +31,21 @@ class ExternalIdentifier(models.Model):
def __str__(self):
return f"{self.external_id} -> {self.internal_id}"
@staticmethod
def resolve_external_identifier(external_identifier: str):
""" Returns a ExternalIdentifier object, if the given parameter could be resolved as an external identifier.
Args:
external_identifier (str): An external identifier.
Returns:
ExternalIdentifier | None
"""
if external_identifier:
try:
obj = ExternalIdentifier.objects.get(external_id=external_identifier)
return obj
except ExternalIdentifier.DoesNotExist:
pass
return None
+16 -9
View File
@@ -31,9 +31,10 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
def setUpTestData(cls):
super().setUpTestData()
def _run_share_request(self, url, user_list: list):
def _run_share_request(self, url, user_list: list, team_list: list):
data = {
"users": user_list
"users": user_list,
"teams": team_list
}
data = json.dumps(data)
response = self.client.put(
@@ -58,16 +59,22 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
self.superuser.username,
self.user.username,
]
team_list = [
str(self.team.id),
]
response = self._run_share_request(url, user_list)
response = self._run_share_request(url, user_list, team_list)
# Must fail, since performing user has no access on requested object
self.assertEqual(response.status_code, 500)
self.assertTrue(len(json.loads(response.content.decode("utf-8")).get("errors", [])) > 0)
# Add performing user to shared access users and rerun the request
# Add performing user to shared access users, switch from team id to team name and rerun the request
obj.users.add(self.superuser)
response = self._run_share_request(url, user_list)
team_list = [
self.team.name
]
response = self._run_share_request(url, user_list, team_list)
shared_users = obj.shared_users
self.assertEqual(response.status_code, 200)
@@ -84,14 +91,14 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
share_url = reverse("api:v1:intervention-share", args=(self.intervention.id,))
# Expect the first request to work properly
self.intervention.users.add(self.superuser)
response = self._run_share_request(share_url, [self.superuser.username])
response = self._run_share_request(share_url, [self.superuser.username], [str(self.team.id)])
self.assertEqual(response.status_code, 200)
# Change the token
self.header_data["HTTP_ksptoken"] = f"{self.superuser.api_token.token}__X"
# Expect the request to fail now
response = self._run_share_request(share_url, [self.superuser.username])
response = self._run_share_request(share_url, [self.superuser.username], [])
self.assertEqual(response.status_code, 403)
def test_api_intervention_sharing(self):
@@ -144,11 +151,11 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
self.assertEqual(self.intervention.users.count(), 1)
# Try to add another user via API -> must work!
response = self._run_share_request(share_url, [self.superuser.username, self.user.username])
response = self._run_share_request(share_url, [self.superuser.username, self.user.username], [])
self.assertEqual(response.status_code, 200)
self.assertEqual(self.intervention.users.count(), 2)
# Now try to remove the user again -> expect no changes at all to the shared user list
response = self._run_share_request(share_url, [self.superuser.username])
response = self._run_share_request(share_url, [self.superuser.username], [])
self.assertEqual(response.status_code, 200)
self.assertEqual(self.intervention.users.count(), 2)
+26
View File
@@ -202,3 +202,29 @@ class AbstractModelAPISerializer:
obj (Intervention)
"""
raise NotImplementedError("Must be implemented in subclasses")
def _geometry_conflicts_to_list(self, geometry) -> list:
""" Serializes geometry conflict ids into dict
Args:
geometry (Geometry): The geometry to fetch geometry conflicts from
Returns:
ids (list): Serialized geometry conflicts as dict objects inside a list
"""
ids = []
conflict_geometries = geometry.get_conflict_geometries()
for geom in conflict_geometries:
try:
data = geom.get_data_objects(["identifier", "id"])[0]
except KeyError:
raise AssertionError(f"Geometry {geom.id} is not attached to any entries. Contact an admin!")
ids.append(
{
"identifier": data["identifier"],
"id": data["id"],
}
)
return ids
+2 -7
View File
@@ -54,6 +54,7 @@ class AbstractModelAPISerializerV1(AbstractModelAPISerializer):
"created_on": self._created_on_to_json(entry),
"modified_on": self._modified_on_to_json(entry),
"external_identifiers": ext_ids,
"geometry_conflicts": self._geometry_conflicts_to_list(entry.geometry)
}
self._extend_properties_data(entry)
geo_json["properties"] = self.properties_data
@@ -179,13 +180,7 @@ class AbstractModelAPISerializerV1(AbstractModelAPISerializer):
Returns:
ExternalIdentifier | None
"""
if external_identifier:
try:
obj = ExternalIdentifier.objects.get(external_id=external_identifier)
return obj
except ObjectDoesNotExist:
pass
return None
return ExternalIdentifier.resolve_external_identifier(external_identifier)
def _check_external_identifier_on_entry_creation(self, external_identifier):
""" Special check for POST processing:
+68 -19
View File
@@ -6,13 +6,14 @@ Created on: 21.01.22
"""
import json
import uuid
from django.db.models import QuerySet
from django.db.models import QuerySet, Q
from django.http import JsonResponse, HttpRequest
from django.views import View
from django.views.decorators.csrf import csrf_exempt
from api.models import APIUserToken
from api.models import APIUserToken, ExternalIdentifier
from api.settings import KSP_TOKEN_HEADER_IDENTIFIER, KSP_USER_HEADER_IDENTIFIER
from compensation.models import EcoAccount
from ema.models import Ema
@@ -205,6 +206,10 @@ class AbstractModelShareAPIView(AbstractAPIView):
"""
try:
external_identifier = ExternalIdentifier.resolve_external_identifier(id)
if external_identifier:
id = external_identifier.internal_id
users = self._get_shared_users_of_object(id)
teams = self._get_shared_teams_of_object(id)
except Exception as e:
@@ -237,6 +242,9 @@ class AbstractModelShareAPIView(AbstractAPIView):
"""
try:
external_identifier = ExternalIdentifier.resolve_external_identifier(id)
if external_identifier:
id = external_identifier.internal_id
success = self._process_put_body(request.body, id)
except Exception as e:
return self._return_error_response(e)
@@ -309,22 +317,36 @@ class AbstractModelShareAPIView(AbstractAPIView):
raise ValueError("Shared user list must not be empty!")
new_teams = content.get("teams", [])
self.__process_user_sharing(new_users, obj)
self.__process_team_sharing(new_teams, obj)
return True
def __process_user_sharing(self, user_list: list, obj):
""" Processes API sharing for user payload
Args:
user_list (list): A list of users to share the obj with
obj (BaseObject): The shareable object
Returns:
"""
# Eliminate duplicates
new_users = list(dict.fromkeys(new_users))
new_teams = list(dict.fromkeys(new_teams))
new_users = list(dict.fromkeys(user_list))
# Make sure each of these names exist as a user
new_users_objs = []
for user in new_users:
new_users_objs.append(User.objects.get(username=user))
# Make sure each of these names exist as a user
new_teams_objs = []
for team_name in new_teams:
new_teams_objs.append(Team.objects.get(name=team_name))
try:
user_obj = User.objects.get(username=user)
except User.DoesNotExist:
raise AssertionError(f"User with username {user} does not exist")
new_users_objs.append(user_obj)
if self.user.is_default_group_only():
# Default only users are not allowed to remove other users from having access. They can only add new ones!
# So we need to keep the ones that already have access from being removed!
new_users_to_be_added = User.objects.filter(
username__in=new_users
).exclude(
@@ -332,17 +354,44 @@ class AbstractModelShareAPIView(AbstractAPIView):
)
new_users_objs = obj.shared_users.union(new_users_to_be_added)
new_teams_to_be_added = Team.objects.filter(
name__in=new_teams
).exclude(
id__in=obj.shared_teams
)
new_teams_objs = obj.shared_teams.union(new_teams_to_be_added)
obj.share_with_user_list(new_users_objs)
obj.share_with_team_list(new_teams_objs)
return True
def __process_team_sharing(self, team_list: list, obj):
""" Processes API sharing for team payload
Args:
team_list (list): A list of teams to share the obj with
obj (BaseObject): The shareable object
Returns:
"""
# Eliminate duplicates
new_teams = list(dict.fromkeys(team_list))
# Resolve team names or ids into objects
new_team_ids = []
for team in new_teams:
try:
uuid.UUID(team)
try:
new_team_ids.append(Team.objects.get(id=team).id)
except Team.DoesNotExist:
raise AssertionError(f"Team with id {team} does not exist!")
except ValueError:
# entry is a name and not a uuid -> try to resolve as name!
try:
new_team_ids.append(Team.objects.get(name=team).id)
except Team.DoesNotExist:
raise AssertionError(f"Team with name {team} does not exist!")
new_team_objs = Team.objects.filter(id__in=new_team_ids)
if self.user.is_default_group_only():
# Default only users are not allowed to remove other users from having access. They can only add new ones!
# So we need to keep the ones that already have access from being removed!
new_team_objs = obj.shared_teams.union(new_team_objs)
obj.share_with_team_list(new_team_objs)
class InterventionAPIShareView(AbstractModelShareAPIView):
model = Intervention
+9
View File
@@ -36,6 +36,7 @@ class InterventionViewTestCase(BaseViewTestCase):
self.run_check_url = reverse("intervention:check", args=(self.intervention.id,))
self.record_url = reverse("intervention:record", args=(self.intervention.id,))
self.report_url = reverse("intervention:report", args=(self.intervention.id,))
self.compensation_remove_url = reverse("intervention:remove-compensation", args=(self.compensation.intervention.id, self.compensation.id))
self.deduction.intervention = self.intervention
self.deduction.save()
@@ -83,6 +84,7 @@ class InterventionViewTestCase(BaseViewTestCase):
self.revocation_new_url: f"{login_redirect_base}{self.revocation_new_url}",
self.revocation_edit_url: f"{login_redirect_base}{self.revocation_edit_url}",
self.revocation_remove_url: f"{login_redirect_base}{self.revocation_remove_url}",
self.compensation_remove_url: f"{login_redirect_base}{self.compensation_remove_url}",
}
self.assert_url_success(client, success_urls)
@@ -124,6 +126,7 @@ class InterventionViewTestCase(BaseViewTestCase):
self.deduction_new_url,
self.deduction_edit_url,
self.deduction_remove_url,
self.compensation_remove_url,
]
self.assert_url_success(client, success_urls)
@@ -162,6 +165,7 @@ class InterventionViewTestCase(BaseViewTestCase):
self.deduction_new_url,
self.deduction_edit_url,
self.deduction_remove_url,
self.compensation_remove_url,
]
fail_urls = [
self.run_check_url,
@@ -212,6 +216,7 @@ class InterventionViewTestCase(BaseViewTestCase):
self.deduction_new_url,
self.deduction_edit_url,
self.deduction_remove_url,
self.compensation_remove_url,
]
success_urls_redirect = {
self.share_url: self.detail_url
@@ -258,6 +263,7 @@ class InterventionViewTestCase(BaseViewTestCase):
self.deduction_new_url,
self.deduction_edit_url,
self.deduction_remove_url,
self.compensation_remove_url,
]
success_urls_redirect = {
self.share_url: self.detail_url
@@ -304,6 +310,7 @@ class InterventionViewTestCase(BaseViewTestCase):
self.deduction_new_url,
self.deduction_edit_url,
self.deduction_remove_url,
self.compensation_remove_url,
]
success_urls_redirect = {
self.share_url: self.detail_url
@@ -350,6 +357,7 @@ class InterventionViewTestCase(BaseViewTestCase):
self.deduction_new_url,
self.deduction_edit_url,
self.deduction_remove_url,
self.compensation_remove_url,
]
success_urls_redirect = {
self.share_url: self.detail_url
@@ -396,6 +404,7 @@ class InterventionViewTestCase(BaseViewTestCase):
self.deduction_new_url,
self.deduction_edit_url,
self.deduction_remove_url,
self.compensation_remove_url,
]
# Define urls where a redirect to a specific location is the proper response
success_urls_redirect = {
+3 -1
View File
@@ -14,7 +14,7 @@ from django.utils.decorators import method_decorator
from django.views import View
from intervention.models import Intervention
from konova.decorators import shared_access_required
from konova.decorators import shared_access_required, default_group_required
from konova.forms.modals import RemoveModalForm
from konova.utils.message_templates import COMPENSATION_REMOVED_TEMPLATE
@@ -45,10 +45,12 @@ class RemoveCompensationFromInterventionView(LoginRequiredMixin, View):
redirect_url=reverse("intervention:detail", args=(id,)) + "#related_data",
)
@method_decorator(default_group_required)
@method_decorator(shared_access_required(Intervention, "id"))
def get(self, request, id: str, comp_id: str, *args, **kwargs) -> HttpResponse:
return self.__process_request(request, id, comp_id, *args, **kwargs)
@method_decorator(default_group_required)
@method_decorator(shared_access_required(Intervention, "id"))
def post(self, request, id: str, comp_id: str, *args, **kwargs) -> HttpResponse:
return self.__process_request(request, id, comp_id, *args, **kwargs)
+34 -4
View File
@@ -125,7 +125,7 @@ class Geometry(BaseResource):
deleted=None
)
if limit_to_attrs:
objs += set_objs.values_list(*limit_to_attrs, flat=True)
objs += set_objs.values(*limit_to_attrs)
else:
objs += set_objs
@@ -135,16 +135,16 @@ class Geometry(BaseResource):
Q(deleted=None) & Q(intervention__deleted=None)
)
if limit_to_attrs:
objs += comp_objs.values_list(*limit_to_attrs, flat=True)
objs += comp_objs.values(*limit_to_attrs)
else:
objs += comp_objs
return objs
def get_data_object(self):
def get_data_object(self, limit_to_attrs: list = None):
"""
Getter for the specific data object which is related to this geometry
"""
objs = self.get_data_objects()
objs = self.get_data_objects(limit_to_attrs)
assert (len(objs) <= 1)
result = objs.pop()
return result
@@ -436,6 +436,16 @@ class Geometry(BaseResource):
output_geom.transform(DEFAULT_SRID_RLP)
return output_geom
def get_conflict_geometries(self):
""" Getter for geometry ids which conflict with this geometry or are conflicted by this one
Returns:
geom_ids (list): List of geometry ids
"""
conflict_geoms_id = GeometryConflict.get_conflict_geometries(self)
conflict_geoms = Geometry.objects.filter(id__in=conflict_geoms_id)
return conflict_geoms
class GeometryConflict(UuidModel):
"""
@@ -459,3 +469,23 @@ class GeometryConflict(UuidModel):
def __str__(self):
return f"{self.conflicting_geometry.id} conflicts with {self.affected_geometry.id}"
@staticmethod
def get_conflict_geometries(geometry: Geometry):
""" Getter for geometries which conflict in one or another way with the given one
Args:
geometry (Geometry): The geometry which shall be checked
Returns:
conflict_geometries (QuerySet): QuerySet of geometries which have conflicts with the given geometry
"""
conflict_geometries = GeometryConflict.objects.filter(
affected_geometry=geometry.id,
).values_list("conflicting_geometry__id", flat=True)
conflict_geometries = conflict_geometries.union(
GeometryConflict.objects.filter(
conflicting_geometry=geometry.id,
).values_list("affected_geometry__id", flat=True)
)
return conflict_geometries
+7 -16
View File
@@ -676,24 +676,15 @@ class GeoReferencedMixin(models.Model):
if self.geometry is None:
return request
instance_objs = []
needed_data_object_attrs = [
"identifier"
]
conflicts = self.geometry.conflicts_geometries.iterator()
conflicting_geometries = self.geometry.get_conflict_geometries()
data_object_identifiers = []
for conflicting_geom in conflicting_geometries:
data_object_identifiers.append(conflicting_geom.get_data_object(["identifier"]))
for conflict in conflicts:
# Only check the affected geometry of this conflict, since we know the conflicting geometry is self.geometry
instance_objs += conflict.affected_geometry.get_data_objects(needed_data_object_attrs)
conflicts = self.geometry.conflicted_by_geometries.iterator()
for conflict in conflicts:
# Only check the conflicting geometry of this conflict, since we know the affected geometry is self.geometry
instance_objs += conflict.conflicting_geometry.get_data_objects(needed_data_object_attrs)
add_message = len(instance_objs) > 0
add_message = len(data_object_identifiers) > 0
if add_message:
instance_identifiers = ", ".join(instance_objs)
data_object_identifiers = [x["identifier"] for x in data_object_identifiers]
instance_identifiers = ", ".join(data_object_identifiers)
message_str = GEOMETRY_CONFLICT_WITH_TEMPLATE.format(instance_identifiers)
messages.info(request, message_str)
return request
+4 -8
View File
@@ -5,22 +5,18 @@ Contact: michel.peltriaux@sgdnord.rlp.de
Created on: 09.11.20
"""
import random
import secrets
import string
import qrcode
import qrcode.image.svg
from io import BytesIO
def generate_token() -> str:
def generate_token(length: int = 64) -> str:
""" Shortcut for default generating of e.g. API token
Returns:
token (str)
"""
return generate_random_string(
length=64,
length=length,
use_numbers=True,
use_letters_lc=True
)
@@ -39,7 +35,7 @@ def generate_random_string(length: int, use_numbers: bool = False, use_letters_l
elements.append(string.ascii_uppercase)
elements = "".join(elements)
ret_val = "".join(random.choice(elements) for i in range(length))
ret_val = "".join(secrets.choice(elements) for i in range(length))
return ret_val
class IdentifierGenerator:
Executable → Regular
View File
+59 -15
View File
@@ -7,9 +7,10 @@ Created on: 10.05.24
"""
import base64
import hashlib
import http
import json
from cryptography.fernet import Fernet
from cryptography.fernet import Fernet, InvalidToken
from django.core.exceptions import ObjectDoesNotExist
from django.http import HttpRequest, JsonResponse
from django.utils.decorators import method_decorator
@@ -27,34 +28,77 @@ class PropagateUserView(View):
proper rights management)
"""
class PropagateStatus:
UNPROCESSED = "unprocessed"
UPDATED = "updated"
CREATED = "created"
@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
return super().dispatch(request, *args, **kwargs)
def post(self, request: HttpRequest, *args, **kwargs):
response_data = {
"success": None,
"status": None
}
# Decrypt
encrypted_body = request.body
_hash = hashlib.md5()
_hash.update(PROPAGATION_SECRET.encode("utf-8"))
key = base64.urlsafe_b64encode(_hash.hexdigest().encode("utf-8"))
fernet = Fernet(key)
body = fernet.decrypt(encrypted_body).decode("utf-8")
body = json.loads(body)
try:
status = "updated"
user = User.resolve_user_using_propagation_data(body)
user = user.update_user_using_propagation_data(body)
except ObjectDoesNotExist:
user = User(**body)
status = "created"
body = fernet.decrypt(encrypted_body).decode("utf-8")
body = json.loads(body)
except InvalidToken:
response_data["error"] = "Invalid Token"
response_data["success"] = False
response_data["status"] = self.PropagateStatus.UNPROCESSED
return JsonResponse(
status=http.HTTPStatus.UNPROCESSABLE_CONTENT,
data=response_data
)
except (json.JSONDecodeError) as e:
response_data["error"] = str(e)
response_data["success"] = False
response_data["status"] = self.PropagateStatus.UNPROCESSED
return JsonResponse(
status=http.HTTPStatus.UNPROCESSABLE_CONTENT,
data=response_data
)
# Process decrypted user data
processing_ret_vals = self.__process_user_data(body)
response_data["success"] = processing_ret_vals[0]
response_data["status"] = processing_ret_vals[1]
user = processing_ret_vals[2]
user.set_unusable_password()
user.save()
data = {
"success": True,
"status": status
}
return JsonResponse(
status=http.HTTPStatus.OK,
data=response_data
)
return JsonResponse(data)
def __process_user_data(self, body: dict) -> (bool, str, User):
""" Process decrypted user data
Args:
body:
Returns:
success (bool): Whether the processing was successful
status (str): In which way the data was used ('created' | 'updated')
user (User): Processed user object
"""
try:
user = User.resolve_user_using_propagation_data(body)
user = user.update_user_using_propagation_data(body)
status = self.PropagateStatus.UPDATED
except ObjectDoesNotExist:
user = User(**body)
status = self.PropagateStatus.CREATED
return True, status, user