Add blueprint level auth guards to graphs, users and remote filesystems endpoints (#1219)

ml-evs · web-flow · commit 57652b86cafd · 2025-05-24T19:59:03.000+01:00
diff --git a/pydatalab/src/pydatalab/routes/v0_1/graphs.py b/pydatalab/src/pydatalab/routes/v0_1/graphs.py
@@ -1,11 +1,16 @@
 from flask import Blueprint, jsonify, request
 
 from pydatalab.mongo import flask_mongo
-from pydatalab.permissions import get_default_permissions
+from pydatalab.permissions import active_users_or_get_only, get_default_permissions
 
 GRAPHS = Blueprint("graphs", __name__)
 
 
+@GRAPHS.before_request
+@active_users_or_get_only
+def _(): ...
+
+
 @GRAPHS.route("/item-graph", methods=["GET"])
 @GRAPHS.route("/item-graph/<item_id>", methods=["GET"])
 def get_graph_cy_format(
diff --git a/pydatalab/src/pydatalab/routes/v0_1/remotes.py b/pydatalab/src/pydatalab/routes/v0_1/remotes.py
@@ -5,6 +5,7 @@
 from flask_login import current_user
 
 from pydatalab.config import CONFIG
+from pydatalab.permissions import active_users_or_get_only
 from pydatalab.remote_filesystems import (
     get_directory_structure,
     get_directory_structures,
@@ -25,6 +26,11 @@ def _check_invalidate_cache(args: dict[str, str]) -> bool | None:
 REMOTES = Blueprint("remotes", __name__)
 
 
+@REMOTES.before_request
+@active_users_or_get_only
+def _(): ...
+
+
 @REMOTES.route("/list-remote-directories", methods=["GET"])
 @REMOTES.route("/remotes", methods=["GET"])
 def list_remote_directories():
@@ -34,7 +40,10 @@ def list_remote_directories():
     then it will be reconstructed.
 
     """
-    if not current_user.is_authenticated and not CONFIG.TESTING:
+    if (
+        not (current_user.is_authenticated and current_user.account_status == "active")
+        and not CONFIG.TESTING
+    ):
         return (
             jsonify(
                 {
diff --git a/pydatalab/src/pydatalab/routes/v0_1/users.py b/pydatalab/src/pydatalab/routes/v0_1/users.py
@@ -5,10 +5,16 @@
 from pydatalab.config import CONFIG
 from pydatalab.models.people import DisplayName, EmailStr
 from pydatalab.mongo import flask_mongo
+from pydatalab.permissions import active_users_or_get_only
 
 USERS = Blueprint("users", __name__)
 
 
+@USERS.before_request
+@active_users_or_get_only
+def _(): ...
+
+
 @USERS.route("/users/<user_id>", methods=["PATCH"])
 def save_user(user_id):
     request_json = request.get_json()
diff --git a/pydatalab/tests/server/test_remotes.py b/pydatalab/tests/server/test_remotes.py
@@ -2,19 +2,33 @@
 
 
 @pytest.mark.dependency()
-def test_directories_list(client):
+def test_directories_list(client, unauthenticated_client, unverified_client, deactivated_client):
     response = client.get("/list-remote-directories")
     assert response.json
     toplevel = response.json["data"][0]
     assert toplevel["type"] == "toplevel"
     assert toplevel["status"] == "updated"
 
+    response = unauthenticated_client.get("/list-remote-directories")
+    assert response.status_code == 401
+    response = unverified_client.get("/list-remote-directories")
+    assert response.status_code == 401
+    response = deactivated_client.get("/list-remote-directories")
+    assert response.status_code == 401
+
     response = client.get("/remotes")
     assert response.json
     toplevel = response.json["data"][0]
     assert toplevel["type"] == "toplevel"
     assert toplevel["status"] == "cached"
 
+    response = unauthenticated_client.get("/remotes")
+    assert response.status_code == 401
+    response = unverified_client.get("/remotes")
+    assert response.status_code == 401
+    response = deactivated_client.get("/remotes")
+    assert response.status_code == 401
+
 
 @pytest.mark.dependency(depends=["test_directories_list"])
 def test_single_directory(client):
