From d3fd64fb5237febb9628c4ccbd259969327ab2ec Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 29 Jul 2024 14:38:32 -0500
Subject: Put endpoints behind an authorisation check

Put all endpoints that cause data changes behind authorisation.
---
 uploader/dbinsert.py | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'uploader/dbinsert.py')

diff --git a/uploader/dbinsert.py b/uploader/dbinsert.py
index 88d16ef..66b0c41 100644
--- a/uploader/dbinsert.py
+++ b/uploader/dbinsert.py
@@ -11,6 +11,7 @@ from flask import (
     flash, request, url_for, Blueprint, redirect, render_template,
     current_app as app)
 
+from uploader.authorisation import require_login
 from uploader.db_utils import with_db_connection, database_connection
 from uploader.db import species, species_by_id, populations_by_species
 
@@ -90,6 +91,7 @@ def tissues() -> tuple:
     return tuple()
 
 @dbinsertbp.route("/platform", methods=["POST"])
+@require_login
 def select_platform():
     "Select the platform (GeneChipId) used for the data."
     job_id = request.form["job_id"]
@@ -113,6 +115,7 @@ def select_platform():
     return render_error("Unknown error")
 
 @dbinsertbp.route("/study", methods=["POST"])
+@require_login
 def select_study():
     "View to select/create the study (ProbeFreeze) associated with the data."
     form = request.form
@@ -142,6 +145,7 @@ def select_study():
         return render_error(f"Missing data: {aserr.args[0]}")
 
 @dbinsertbp.route("/create-study", methods=["POST"])
+@require_login
 def create_study():
     "Create a new study (ProbeFreeze)."
     form = request.form
@@ -218,6 +222,7 @@ def dataset_datascales() -> tuple:
     return tuple()
 
 @dbinsertbp.route("/dataset", methods=["POST"])
+@require_login
 def select_dataset():
     "Select the dataset to add the file contents against"
     form = request.form
@@ -238,6 +243,7 @@ def select_dataset():
         return render_error(f"Missing data: {aserr.args[0]}")
 
 @dbinsertbp.route("/create-dataset", methods=["POST"])
+@require_login
 def create_dataset():
     "Select the dataset to add the file contents against"
     form = request.form
@@ -317,6 +323,7 @@ def selected_keys(original: dict, keys: tuple) -> dict:
     return {key: value for key,value in original.items() if key in keys}
 
 @dbinsertbp.route("/final-confirmation", methods=["POST"])
+@require_login
 def final_confirmation():
     "Preview the data before triggering entry into the database"
     form = request.form
@@ -352,6 +359,7 @@ def final_confirmation():
         return render_error(f"Missing data: {aserr.args[0]}")
 
 @dbinsertbp.route("/insert-data", methods=["POST"])
+@require_login
 def insert_data():
     "Trigger data insertion"
     form = request.form
-- 
cgit v1.2.3