diff options
| author | Frederick Muriuki Muriithi | 2023-07-24 11:08:07 +0300 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2023-07-24 11:08:07 +0300 |
| commit | 5930087ff8ed1dc857d145e155d327528866a11e (patch) | |
| tree | a6e8a47676d75c2cba5a28a14ccd2a51b0fd3463 | |
| parent | 8f9a857a911209f882dec4b50b8ee148a6267f64 (diff) | |
| download | genenetwork2-5930087ff8ed1dc857d145e155d327528866a11e.tar.gz | |
Protect the "approve" and "reject" endpoints
Protect the actual "approve" or "reject" steps, rather than just the
UI elements.
| -rw-r--r-- | wqflask/wqflask/metadata_edits.py | 6 | ||||
| -rw-r--r-- | wqflask/wqflask/templates/display_files.html | 4 |
2 files changed, 8 insertions, 2 deletions
diff --git a/wqflask/wqflask/metadata_edits.py b/wqflask/wqflask/metadata_edits.py index c8d104ea..e3e8cf15 100644 --- a/wqflask/wqflask/metadata_edits.py +++ b/wqflask/wqflask/metadata_edits.py @@ -655,6 +655,9 @@ def __authorised_p__(dataset_name, trait_name): ).either(__error__, __success__) @metadata_edit.route("<resource_id>/diffs/<file_name>/reject") +@required_access( + ("group:resource:view-resource", "group:resource:edit-resource"), + trait_key="trait_name") @login_required(pagename="sample data rejection") def reject_data(resource_id: str, file_name: str): diffs_page = redirect(url_for("metadata_edit.list_diffs")) @@ -679,6 +682,9 @@ def reject_data(resource_id: str, file_name: str): return diffs_page @metadata_edit.route("<resource_id>/diffs/<file_name>/approve") +@required_access( + ("group:resource:view-resource", "group:resource:edit-resource"), + trait_key="trait_name") @login_required(pagename="Sample Data Approval") def approve_data(resource_id: str, file_name: str): from utility.tools import get_setting diff --git a/wqflask/wqflask/templates/display_files.html b/wqflask/wqflask/templates/display_files.html index 80464bb1..d0e8cc33 100644 --- a/wqflask/wqflask/templates/display_files.html +++ b/wqflask/wqflask/templates/display_files.html @@ -43,8 +43,8 @@ <td><a href="{{ file_url }}" target="_blank">{{ data.meta.get("resource_id") }}</a></td> <td>{{ data.meta.get("author")}}</td> <td>{{ data.meta.get("time_stamp")}}</td> - {% set reject_url = url_for('metadata_edit.reject_data', resource_id=data.meta.get('resource_id'), file_name=data.filepath.name) %} - {% set approve_url = url_for('metadata_edit.approve_data', resource_id=data.meta.get('resource_id'), file_name=data.filepath.name) %} + {% set reject_url = url_for('metadata_edit.reject_data', resource_id=data.meta.get('resource_id'), file_name=data.filepath.name, dataset_name=data.diff.dataset_name, trait_name=data.diff.trait_name) %} + {% set approve_url = url_for('metadata_edit.approve_data', resource_id=data.meta.get('resource_id'), file_name=data.filepath.name, dataset_name=data.diff.dataset_name, trait_name=data.diff.trait_name) %} <td> <button type="button" class="btn btn-secondary btn-sm"> |