Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PR: HDX-9927 add CSRF tokens #6375

Merged
merged 2 commits into from
Jul 1, 2024
Merged

PR: HDX-9927 add CSRF tokens #6375

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3e7d444
HDX-9927 add CSRF tokens
ccataalin Jun 29, 2024
c97c5f1
HDX-9927 fix tests
ccataalin Jun 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 14 additions & 13 deletions ckanext-hdx_org_group/ckanext/hdx_org_group/tests/test_controller/test_member_controller.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,6 @@ def test_members(self, render, app):
context = {'model': model, 'session': model.Session, 'user': orgadmin}
orgadmin_token = factories.APIToken(user='orgadmin', expires_in=2, unit=60 * 60)['token']
auth = {'Authorization': orgadmin_token}
# test_client = self.get_backwards_compatible_test_client()

member_with_name_list = _get_action('member_list')(context, {
'id': 'hdx-test-org',
Expand Down Expand Up @@ -236,16 +235,17 @@ def _populate_member_names(self, members, member_with_name_list):
ret = [next(u[4] for u in member_with_name_list if u[0] == member[0]) for member in members]
return ret

@pytest.mark.usefixtures('with_request_context')
@mock.patch('ckanext.hdx_users.helpers.mailer._mail_recipient_html')
def test_request_membership(self, _mail_recipient_html):
def test_request_membership(self, _mail_recipient_html, app):
test_sysadmin = 'testsysadmin'
test_username = 'johndoe1'
test_client = self.get_backwards_compatible_test_client()
test_username_token = factories.APIToken(user=test_username, expires_in=2, unit=60 * 60)['token']
context = {'model': model, 'session': model.Session, 'user': test_sysadmin}

# removing one member from organization
url = h.url_for('hdx_members.member_delete', id='hdx-test-org')
test_client.post(url, params={'user': 'johndoe1'}, extra_environ={"REMOTE_USER": test_sysadmin})
app.post(url, params={'user': 'johndoe1'}, extra_environ={"REMOTE_USER": test_sysadmin})

member_list = self._get_action('member_list')(context, {
'id': 'hdx-test-org',
Expand All @@ -262,9 +262,9 @@ def test_request_membership(self, _mail_recipient_html):

# send a membership request
url = h.url_for('ytp_request.new')
ret_page = test_client.post(url, params={'organization': 'hdx-test-org', 'role': 'member', 'save': 'save',
'message': 'add me to your organization'},
extra_environ={"REMOTE_USER": test_username})
ret_page = app.post(url, params={'organization': 'hdx-test-org', 'role': 'member', 'save': 'save',
'message': 'add me to your organization'},
headers={'Authorization': test_username_token})
member_requests = self._get_action('member_request_list')(context, {'group': 'hdx-test-org'})
assert len(member_requests) == 1, 'Exactly one member request should exist for this org'
assert member_requests[0].get('user_name') == test_username
Expand All @@ -280,16 +280,17 @@ def _populate_member_names(self, members, member_with_name_list):
ret = [next(u[4] for u in member_with_name_list if u[0] == member[0]) for member in members]
return ret

@pytest.mark.usefixtures('with_request_context')
@mock.patch('ckanext.hdx_users.helpers.mailer._mail_recipient_html')
def test_request_membership(self, _mail_recipient_html):
def test_request_membership(self, _mail_recipient_html, app):
test_sysadmin = 'testsysadmin'
test_username = 'johndoe1'
test_client = self.get_backwards_compatible_test_client()
test_username_token = factories.APIToken(user=test_username, expires_in=2, unit=60 * 60)['token']
context = {'model': model, 'session': model.Session, 'user': test_sysadmin}

# removing one member from organization
url = h.url_for('hdx_members.member_delete', id='hdx-test-org')
test_client.post(url, params={'user': 'johndoe1'}, extra_environ={"REMOTE_USER": test_sysadmin})
app.post(url, params={'user': 'johndoe1'}, extra_environ={"REMOTE_USER": test_sysadmin})

member_list = self._get_action('member_list')(context, {
'id': 'hdx-test-org',
Expand All @@ -306,9 +307,9 @@ def test_request_membership(self, _mail_recipient_html):

# send a membership request
url = h.url_for('ytp_request.new')
ret_page = test_client.post(url, params={'organization': 'hdx-test-org', 'role': 'editor', 'save': 'save',
'message': 'add me to your organization'},
extra_environ={"REMOTE_USER": test_username})
ret_page = app.post(url, params={'organization': 'hdx-test-org', 'role': 'editor', 'save': 'save',
'message': 'add me to your organization'},
headers={'Authorization': test_username_token})
member_requests = self._get_action('member_request_list')(context, {'group': 'hdx-test-org'})
assert len(member_requests) == 1, 'Exactly one member request should exist for this org'
assert member_requests[0].get('user_name') == test_username
Expand Down
2 changes: 1 addition & 1 deletion ckanext-hdx_pages/ckanext/hdx_pages/tests/test_controller.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@ def test_page_delete(self, app):
eldeleted_page = _get_action('page_show')(context_sysadmin, {'id': page_eldeleted.get('name')})
try:
url = h.url_for(u'hdx_custom_page.delete_page', id=eldeleted_page.get('id'))
page_delete = app.post(url, extra_environ={"REMOTE_USER": USER})
page_delete = app.post(url, headers={'Authorization': self._get_token_for_user(USER)})
assert 'Page not found' in page_delete.body, 'page doesn\'t exist'
assert '404 Not Found'.lower() in page_delete.status.lower()
except logic.NotAuthorized:
Expand Down
1 change: 1 addition & 0 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/admin/carousel.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
options.emulateJSON = true; // Important because your sending formdata
options.processData = false;
options.contentType = false;
options.headers = hdxUtil.net.getCsrfTokenAsObject();

return Backbone.Model.prototype.sync.call(this, method, model, options);
// return Backbone.sync.apply(this, arguments);
Expand Down
1 change: 1 addition & 0 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/admin/package_links.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@
options.emulateJSON = true; // Important because your sending formdata
options.processData = false;
options.contentType = false;
options.headers = hdxUtil.net.getCsrfTokenAsObject();

return Backbone.Model.prototype.sync.call(this, method, model, options);
// return Backbone.sync.apply(this, arguments);
Expand Down
1 change: 1 addition & 0 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/admin/quick_links.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
options.emulateJSON = true; // Important because your sending formdata
options.processData = false;
options.contentType = false;
options.headers = hdxUtil.net.getCsrfTokenAsObject();

return Backbone.Model.prototype.sync.call(this, method, model, options);
// return Backbone.sync.apply(this, arguments);
Expand Down
3 changes: 2 additions & 1 deletion ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/contribute_flow/backbone-model-file-upload.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@
options.data = formData;
options.processData = false;
options.contentType = false;
options.headers = hdxUtil.net.getCsrfTokenAsObject();

// Handle "progress" events
if (!options.xhr) {
Expand Down Expand Up @@ -173,4 +174,4 @@
// Export out to override Backbone Model
Backbone.Model = BackboneModelFileUpload;

}));
}));
63 changes: 37 additions & 26 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/contribute_flow/contribute_flow_main.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,29 +63,33 @@

formDataArray.push({'name': 'id', 'value': datasetId});

$.post(validateUrl, formDataArray,
function (data, status, xhr) {
data.error_summary = data.error_summary ? data.error_summary : {};

// Resources are not required for metadata-only datasets
if (!data.data.is_requestdata_type && (!resourceDataArray || resourceDataArray.length === 0)) {
data.error_summary['resource-list'] = 'Please add at least 1 resource to the dataset';

}

// Tags are required for metadata-only datasets
if (data.data.is_requestdata_type && data.data.tag_string.length === 0) {
data.errors.tag_string = ['Missing value'];
}

contributeGlobal.updateValidationUi(data, status, xhr);
// contributeGlobal._managePrivateField();
deferred.resolve(contributeGlobal.validateSucceeded(data, status));
moduleLog('Validation finished');
$.ajax({
url: validateUrl,
type: 'POST',
data: formDataArray,
headers: hdxUtil.net.getCsrfTokenAsObject(),
success: function (data, status, xhr) {
data.error_summary = data.error_summary ? data.error_summary : {};

// Resources are not required for metadata-only datasets
if (!data.data.is_requestdata_type && (!resourceDataArray || resourceDataArray.length === 0)) {
data.error_summary['resource-list'] = 'Please add at least 1 resource to the dataset';
}

// Tags are required for metadata-only datasets
if (data.data.is_requestdata_type && data.data.tag_string.length === 0) {
data.errors.tag_string = ['Missing value'];
}
).fail(contributeGlobal.recoverFromServerError);

contributeGlobal.updateValidationUi(data, status, xhr);
// contributeGlobal._managePrivateField();
deferred.resolve(contributeGlobal.validateSucceeded(data, status));
moduleLog('Validation finished');
},
error: function (xhr, status, error) {
contributeGlobal.recoverFromServerError();
}
});
}.bind(this)
);

Expand Down Expand Up @@ -156,12 +160,19 @@
contributeGlobal.controlUserWaitingWidget(true, 'Saving dataset form...');

$.when(analyticsPromise).done(function () {
$.post(requestUrl, formDataArray,
function (data, status, xhr) {
contributeGlobal.updateInnerState(data, status);
deferred.resolve(data, status, xhr);
}
).fail(contributeGlobal.recoverFromServerError);
$.ajax({
url: requestUrl,
type: 'POST',
data: formDataArray,
headers: hdxUtil.net.getCsrfTokenAsObject(),
success: function (data, status, xhr) {
contributeGlobal.updateInnerState(data, status);
deferred.resolve(data, status, xhr);
},
error: function (xhr, status, error) {
contributeGlobal.recoverFromServerError();
}
});
});
}
}
Expand Down
2 changes: 2 additions & 0 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/country/custom/country-custom.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ function autoGraph() {
type: 'POST',
dataType: 'json',
url: '/api/3/action/datastore_search_sql',
headers: hdxUtil.net.getCsrfTokenAsObject(),
data: urldata,
index: sIdx,
success: function (data) {
Expand Down Expand Up @@ -436,6 +437,7 @@ function loadMapData(map, confJson, layers){
type: 'POST',
dataType: 'json',
url: '/api/3/action/datastore_search_sql',
headers: hdxUtil.net.getCsrfTokenAsObject(),
data: urldata,
success: function(result){
values = processMapValues(result.result.records, confJson, pcodeColumnName, valueColumnName, descriptionColumnName);
Expand Down
29 changes: 15 additions & 14 deletions ckanext-hdx_theme/ckanext/hdx_theme/fanstatic/crisis/ebola/ebola_crisis_page_graph.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ $.ajax({
type: 'POST',
dataType: 'json',
url: '/api/3/action/datastore_search_sql',
headers: hdxUtil.net.getCsrfTokenAsObject(),
data: data,
success: function(data) {
var processedData = processData(data.result.records);
Expand Down Expand Up @@ -55,7 +56,7 @@ function processData(dataIn){
data[data.length-1]['cases'][e['Country']]=e['value'];
} else {
data[data.length-1]['cases']['other']+=e['value'];
}
}
}
});
return data;
Expand All @@ -65,9 +66,9 @@ function generateLineChart(id,data){
data.forEach(function(e){
e.date = new Date(e.date);
});

var varNames = d3.keys(data[0].deaths).filter(function (key) { return key !== 'total';});;

var seriesDeathArr = [], series = {};
varNames.forEach(function (name) {
series[name] = {name: name, values:[]};
Expand All @@ -78,7 +79,7 @@ function generateLineChart(id,data){
series[name].values.push({label: d.date, value: +d.deaths[name]});
});
});

var seriesDeathArr = [], series = {};
varNames.forEach(function (name) {
series[name] = {name: name, values:[]};
Expand All @@ -88,12 +89,12 @@ function generateLineChart(id,data){
varNames.map(function (name) {
series[name].values.push({label: d.date, value: +d.deaths[name]});
});
});
});

var deathColor = d3.scale.ordinal()
//.range(["#B71C1C","#E53935","#EF9A9A","#FFEBEE"]);
.range(["#f2645a","#F58A83","#F8B1AC","#FBD8D5"]);

var seriesCaseArr = [], series = {};
varNames.forEach(function (name) {
series[name] = {name: name, values:[]};
Expand All @@ -103,7 +104,7 @@ function generateLineChart(id,data){
varNames.map(function (name) {
series[name].values.push({label: d.date, value: +d.cases[name]});
});
});
});

var caseColor = d3.scale.ordinal()
//.range(["#1A237E","#3949AB","#7986CB","#E8EAF6"])
Expand All @@ -118,10 +119,10 @@ function generateLineChart(id,data){

var y = d3.scale.linear()
.range([height, 0]);
x.domain(d3.extent(data, function(d) {

x.domain(d3.extent(data, function(d) {
return d.date; }));
y.domain([0,d3.max(data, function(d) { return d.cases.total; })]);
y.domain([0,d3.max(data, function(d) { return d.cases.total; })]);

var xAxis = d3.svg.axis()
.scale(x)
Expand Down Expand Up @@ -169,7 +170,7 @@ function generateLineChart(id,data){
.x(function (d) { return x(d.label); })
.y0(function (d) { return y(d.y0); })
.y1(function (d) { return y(d.y0 + d.y); });

stack(seriesDeathArr);
stack(seriesCaseArr);
var svg = d3.select(id).append("svg")
Expand Down Expand Up @@ -360,7 +361,7 @@ function generateLineChart(id,data){
d3.selectAll(".deathPath").transition().duration(500).attr("opacity",0);
d3.selectAll(".linelabels").transition().duration(500).attr("opacity",1);
d3.selectAll(".areadeathlabels").transition().duration(500).attr("opacity",0);
});
});

svg.append("path")
.datum(data)
Expand All @@ -379,4 +380,4 @@ function generateLineChart(id,data){
d3.selectAll(".areacaselabels").transition().duration(500).attr("opacity",0);
d3.selectAll(".deathline").transition().duration(500).attr("opacity",1);
});
}
}
Loading
Loading