Skip to content

Commit

Permalink
Merge pull request #6375 from OCHA-DAP/feature/HDX-9927-add-csrf-tokens
Browse files Browse the repository at this point in the history 
PR: HDX-9927 add CSRF tokens
  • Loading branch information
@danmihaila
danmihaila authored Jul 1, 2024
2 parents 27d73c2 + c97c5f1 commit d0aac9b
Show file tree
Hide file tree
Showing 53 changed files with 341 additions and 177 deletions.
27 changes: 14 additions & 13 deletions ckanext-hdx_org_group/ckanext/hdx_org_group/tests/test_controller/test_member_controller.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,6 @@ def test_members(self, render, app):
context = {'model': model, 'session': model.Session, 'user': orgadmin}
orgadmin_token = factories.APIToken(user='orgadmin', expires_in=2, unit=60 * 60)['token']
auth = {'Authorization': orgadmin_token}
# test_client = self.get_backwards_compatible_test_client()

member_with_name_list = _get_action('member_list')(context, {
'id': 'hdx-test-org',
Expand Down Expand Up @@ -236,16 +235,17 @@ def _populate_member_names(self, members, member_with_name_list):
ret = [next(u[4] for u in member_with_name_list if u[0] == member[0]) for member in members]
return ret

@pytest.mark.usefixtures('with_request_context')
@mock.patch('ckanext.hdx_users.helpers.mailer._mail_recipient_html')
def test_request_membership(self, _mail_recipient_html):
def test_request_membership(self, _mail_recipient_html, app):
test_sysadmin = 'testsysadmin'
test_username = 'johndoe1'
test_client = self.get_backwards_compatible_test_client()
test_username_token = factories.APIToken(user=test_username, expires_in=2, unit=60 * 60)['token']
context = {'model': model, 'session': model.Session, 'user': test_sysadmin}

# removing one member from organization
url = h.url_for('hdx_members.member_delete', id='hdx-test-org')
test_client.post(url, params={'user': 'johndoe1'}, extra_environ={"REMOTE_USER": test_sysadmin})
app.post(url, params={'user': 'johndoe1'}, extra_environ={"REMOTE_USER": test_sysadmin})

member_list = self._get_action('member_list')(context, {
'id': 'hdx-test-org',
Expand All @@ -262,9 +262,9 @@ def test_request_membership(self, _mail_recipient_html):

# send a membership request
url = h.url_for('ytp_request.new')
ret_page = test_client.post(url, params={'organization': 'hdx-test-org', 'role': 'member', 'save': 'save',
'message': 'add me to your organization'},
extra_environ={"REMOTE_USER": test_username})
ret_page = app.post(url, params={'organization': 'hdx-test-org', 'role': 'member', 'save': 'save',
'message': 'add me to your organization'},
headers={'Authorization': test_username_token})
member_requests = self._get_action('member_request_list')(context, {'group': 'hdx-test-org'})
assert len(member_requests) == 1, 'Exactly one member request should exist for this org'
assert member_requests[0].get('user_name') == test_username
Expand All @@ -280,16 +280,17 @@ def _populate_member_names(self, members, member_with_name_list):
ret = [next(u[4] for u in member_with_name_list if u[0] == member[0]) for member in members]
return ret

@pytest.mark.usefixtures('with_request_context')
@mock.patch('ckanext.hdx_users.helpers.mailer._mail_recipient_html')
def test_request_membership(self, _mail_recipient_html):
def test_request_membership(self, _mail_recipient_html, app):
test_sysadmin = 'testsysadmin'
test_username = 'johndoe1'
test_client = self.get_backwards_compatible_test_client()
test_username_token = factories.APIToken(user=test_username, expires_in=2, unit=60 * 60)['token']
context = {'model': model, 'session': model.Session, 'user': test_sysadmin}

# removing one member from organization
url = h.url_for('hdx_members.member_delete', id='hdx-test-org')
test_client.post(url, params={'user': 'johndoe1'}, extra_environ={"REMOTE_USER": test_sysadmin})
app.post(url, params={'user': 'johndoe1'}, extra_environ={"REMOTE_USER": test_sysadmin})

member_list = self._get_action('member_list')(context, {
'id': 'hdx-test-org',
Expand All @@ -306,9 +307,9 @@ def test_request_membership(self, _mail_recipient_html):

# send a membership request
url = h.url_for('ytp_request.new')
ret_page = test_client.post(url, params={'organization': 'hdx-test-org', 'role': 'editor', 'save': 'save',
'message': 'add me to your organization'},
extra_environ={"REMOTE_USER": test_username})
ret_page = app.post(url, params={'organization': 'hdx-test-org', 'role': 'editor', 'save': 'save',
'message': 'add me to your organization'},
headers={'Authorization': test_username_token})
member_requests = self._get_action('member_request_list')(context, {'group': 'hdx-test-org'})
assert len(member_requests) == 1, 'Exactly one member request should exist for this org'
assert member_requests[0].get('user_name') == test_username
Expand Down
2 changes: 1 addition & 1 deletion ckanext-hdx_pages/ckanext/hdx_pages/tests/test_controller.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@ def test_page_delete(self, app):
eldeleted_page = _get_action('page_show')(context_sysadmin, {'id': page_eldeleted.get('name')})
try:
url = h.url_for(u'hdx_custom_page.delete_page', id=eldeleted_page.get('id'))
page_delete = app.post(url, extra_environ={"REMOTE_USER": USER})
page_delete = app.post(url, headers={'Authorization': self._get_token_for_user(USER)})
assert 'Page not found' in page_delete.body, 'page doesn\'t exist'
assert '404 Not Found'.lower() in page_delete.status.lower()
except logic.NotAuthorized:
Expand Down
1 change: 1 addition & 0 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/admin/carousel.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
options.emulateJSON = true; // Important because your sending formdata
options.processData = false;
options.contentType = false;
options.headers = hdxUtil.net.getCsrfTokenAsObject();

return Backbone.Model.prototype.sync.call(this, method, model, options);
// return Backbone.sync.apply(this, arguments);
Expand Down
1 change: 1 addition & 0 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/admin/package_links.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@
options.emulateJSON = true; // Important because your sending formdata
options.processData = false;
options.contentType = false;
options.headers = hdxUtil.net.getCsrfTokenAsObject();

return Backbone.Model.prototype.sync.call(this, method, model, options);
// return Backbone.sync.apply(this, arguments);
Expand Down
1 change: 1 addition & 0 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/admin/quick_links.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
options.emulateJSON = true; // Important because your sending formdata
options.processData = false;
options.contentType = false;
options.headers = hdxUtil.net.getCsrfTokenAsObject();

return Backbone.Model.prototype.sync.call(this, method, model, options);
// return Backbone.sync.apply(this, arguments);
Expand Down
3 changes: 2 additions & 1 deletion ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/contribute_flow/backbone-model-file-upload.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@
options.data = formData;
options.processData = false;
options.contentType = false;
options.headers = hdxUtil.net.getCsrfTokenAsObject();

// Handle "progress" events
if (!options.xhr) {
Expand Down Expand Up @@ -173,4 +174,4 @@
// Export out to override Backbone Model
Backbone.Model = BackboneModelFileUpload;

}));
}));
63 changes: 37 additions & 26 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/contribute_flow/contribute_flow_main.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,29 +63,33 @@

formDataArray.push({'name': 'id', 'value': datasetId});

$.post(validateUrl, formDataArray,
function (data, status, xhr) {
data.error_summary = data.error_summary ? data.error_summary : {};

// Resources are not required for metadata-only datasets
if (!data.data.is_requestdata_type && (!resourceDataArray || resourceDataArray.length === 0)) {
data.error_summary['resource-list'] = 'Please add at least 1 resource to the dataset';

}

// Tags are required for metadata-only datasets
if (data.data.is_requestdata_type && data.data.tag_string.length === 0) {
data.errors.tag_string = ['Missing value'];
}

contributeGlobal.updateValidationUi(data, status, xhr);
// contributeGlobal._managePrivateField();
deferred.resolve(contributeGlobal.validateSucceeded(data, status));
moduleLog('Validation finished');
$.ajax({
url: validateUrl,
type: 'POST',
data: formDataArray,
headers: hdxUtil.net.getCsrfTokenAsObject(),
success: function (data, status, xhr) {
data.error_summary = data.error_summary ? data.error_summary : {};

// Resources are not required for metadata-only datasets
if (!data.data.is_requestdata_type && (!resourceDataArray || resourceDataArray.length === 0)) {
data.error_summary['resource-list'] = 'Please add at least 1 resource to the dataset';
}

// Tags are required for metadata-only datasets
if (data.data.is_requestdata_type && data.data.tag_string.length === 0) {
data.errors.tag_string = ['Missing value'];
}
).fail(contributeGlobal.recoverFromServerError);

contributeGlobal.updateValidationUi(data, status, xhr);
// contributeGlobal._managePrivateField();
deferred.resolve(contributeGlobal.validateSucceeded(data, status));
moduleLog('Validation finished');
},
error: function (xhr, status, error) {
contributeGlobal.recoverFromServerError();
}
});
}.bind(this)
);

Expand Down Expand Up @@ -156,12 +160,19 @@
contributeGlobal.controlUserWaitingWidget(true, 'Saving dataset form...');

$.when(analyticsPromise).done(function () {
$.post(requestUrl, formDataArray,
function (data, status, xhr) {
contributeGlobal.updateInnerState(data, status);
deferred.resolve(data, status, xhr);
}
).fail(contributeGlobal.recoverFromServerError);
$.ajax({
url: requestUrl,
type: 'POST',
data: formDataArray,
headers: hdxUtil.net.getCsrfTokenAsObject(),
success: function (data, status, xhr) {
contributeGlobal.updateInnerState(data, status);
deferred.resolve(data, status, xhr);
},
error: function (xhr, status, error) {
contributeGlobal.recoverFromServerError();
}
});
});
}
}
Expand Down
2 changes: 2 additions & 0 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/country/custom/country-custom.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ function autoGraph() {
type: 'POST',
dataType: 'json',
url: '/api/3/action/datastore_search_sql',
headers: hdxUtil.net.getCsrfTokenAsObject(),
data: urldata,
index: sIdx,
success: function (data) {
Expand Down Expand Up @@ -436,6 +437,7 @@ function loadMapData(map, confJson, layers){
type: 'POST',
dataType: 'json',
url: '/api/3/action/datastore_search_sql',
headers: hdxUtil.net.getCsrfTokenAsObject(),
data: urldata,
success: function(result){
values = processMapValues(result.result.records, confJson, pcodeColumnName, valueColumnName, descriptionColumnName);
Expand Down
29 changes: 15 additions & 14 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/crisis/ebola/ebola_crisis_page_graph.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ $.ajax({
type: 'POST',
dataType: 'json',
url: '/api/3/action/datastore_search_sql',
headers: hdxUtil.net.getCsrfTokenAsObject(),
data: data,
success: function(data) {
var processedData = processData(data.result.records);
Expand Down Expand Up @@ -55,7 +56,7 @@ function processData(dataIn){
data[data.length-1]['cases'][e['Country']]=e['value'];
} else {
data[data.length-1]['cases']['other']+=e['value'];
}
}
}
});
return data;
Expand All @@ -65,9 +66,9 @@ function generateLineChart(id,data){
data.forEach(function(e){
e.date = new Date(e.date);
});

var varNames = d3.keys(data[0].deaths).filter(function (key) { return key !== 'total';});;

var seriesDeathArr = [], series = {};
varNames.forEach(function (name) {
series[name] = {name: name, values:[]};
Expand All @@ -78,7 +79,7 @@ function generateLineChart(id,data){
series[name].values.push({label: d.date, value: +d.deaths[name]});
});
});

var seriesDeathArr = [], series = {};
varNames.forEach(function (name) {
series[name] = {name: name, values:[]};
Expand All @@ -88,12 +89,12 @@ function generateLineChart(id,data){
varNames.map(function (name) {
series[name].values.push({label: d.date, value: +d.deaths[name]});
});
});
});

var deathColor = d3.scale.ordinal()
//.range(["#B71C1C","#E53935","#EF9A9A","#FFEBEE"]);
.range(["#f2645a","#F58A83","#F8B1AC","#FBD8D5"]);

var seriesCaseArr = [], series = {};
varNames.forEach(function (name) {
series[name] = {name: name, values:[]};
Expand All @@ -103,7 +104,7 @@ function generateLineChart(id,data){
varNames.map(function (name) {
series[name].values.push({label: d.date, value: +d.cases[name]});
});
});
});

var caseColor = d3.scale.ordinal()
//.range(["#1A237E","#3949AB","#7986CB","#E8EAF6"])
Expand All @@ -118,10 +119,10 @@ function generateLineChart(id,data){

var y = d3.scale.linear()
.range([height, 0]);
x.domain(d3.extent(data, function(d) {

x.domain(d3.extent(data, function(d) {
return d.date; }));
y.domain([0,d3.max(data, function(d) { return d.cases.total; })]);
y.domain([0,d3.max(data, function(d) { return d.cases.total; })]);

var xAxis = d3.svg.axis()
.scale(x)
Expand Down Expand Up @@ -169,7 +170,7 @@ function generateLineChart(id,data){
.x(function (d) { return x(d.label); })
.y0(function (d) { return y(d.y0); })
.y1(function (d) { return y(d.y0 + d.y); });

stack(seriesDeathArr);
stack(seriesCaseArr);
var svg = d3.select(id).append("svg")
Expand Down Expand Up @@ -360,7 +361,7 @@ function generateLineChart(id,data){
d3.selectAll(".deathPath").transition().duration(500).attr("opacity",0);
d3.selectAll(".linelabels").transition().duration(500).attr("opacity",1);
d3.selectAll(".areadeathlabels").transition().duration(500).attr("opacity",0);
});
});

svg.append("path")
.datum(data)
Expand All @@ -379,4 +380,4 @@ function generateLineChart(id,data){
d3.selectAll(".areacaselabels").transition().duration(500).attr("opacity",0);
d3.selectAll(".deathline").transition().duration(500).attr("opacity",1);
});
}
}
Loading

0 comments on commit d0aac9b

Please sign in to comment.