Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MVJ-112: area search attachments: hide user and attachment path from API response in public #819

Merged
merged 4 commits into from
Feb 7, 2025
Merged

MVJ-112: area search attachments: hide user and attachment path from API response in public #819

merged 4 commits into from
Feb 7, 2025
+378 −22

Conversation

NC-jsAhonen
Copy link
Contributor

@NC-jsAhonen NC-jsAhonen commented Jan 24, 2025
edited
Loading

With these changes, the API response to the POST requests will hide sensitive information about the attachments.

henrinie-nc
henrinie-nc requested changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@henrinie-nc henrinie-nc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about forms attachment?

@NC-jsAhonen NC-jsAhonen force-pushed the MVJ-112-api-does-not-give-file-url-in-response branch 2 times, most recently from 7cde77f to 9863eb9 Compare January 27, 2025 09:26
@NC-jsAhonen
Copy link
Contributor Author

How about forms attachment?

Now added.

@henrinie-nc
Copy link
Contributor

henrinie-nc commented Jan 27, 2025
edited
Loading

Looks good! It could be useful to add a comment, or add the list of fields in a named variable to indicate what is being done and why

henrinie-nc
henrinie-nc requested changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@henrinie-nc henrinie-nc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the approve to request changes, realized that this should also include tests.

@NC-jsAhonen
Copy link
Contributor Author

Created variables for the excluded fields and commented. They turned out to be useful in the unit tests as well.

henrinie-nc
henrinie-nc reviewed Jan 29, 2025
View reviewed changes
forms/tests/test_api.py Outdated


@pytest.mark.django_db
def test_area_search_attachment_post_public(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this test exist in the areasearch app?

henrinie-nc
henrinie-nc reviewed Jan 29, 2025
View reviewed changes
forms/tests/test_api.py
@@ -430,6 +432,97 @@ def test_attachment_delete(
assert os.path.isfile(file_path) is False


@pytest.mark.django_db
def test_attachment_post_public(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test name could clarify what is it testing for, and enhanced with comments. It is not very clear what is being tested, the name indicates it is just to test that the endpoint works

henrinie-nc
henrinie-nc reviewed Jan 29, 2025
View reviewed changes
forms/tests/test_api.py
)
== 0
)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about testing the areasearch endpoint, that it doesnt return the undesired fields?

henrinie-nc
henrinie-nc reviewed Feb 3, 2025
View reviewed changes
forms/tests/test_api.py Outdated Show resolved Hide resolved
henrinie-nc
henrinie-nc reviewed Feb 3, 2025
View reviewed changes
forms/tests/test_api.py Outdated
response = admin_client.post(url, data=payload, content_type="application/json")

# When an answer is created, the HTTP response should not contain attachments
assert response.json().get("attachments") is None
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could also be checked that the key does not exist, this makes it seem a little bit that test expects the key to be there and value to be None

henrinie-nc
henrinie-nc reviewed Feb 3, 2025
View reviewed changes
forms/tests/test_api.py Outdated Show resolved Hide resolved
henrinie-nc
henrinie-nc reviewed Feb 3, 2025
View reviewed changes
utils/viewsets/mixins.py Outdated
@@ -165,3 +165,9 @@ def update(self, request, *args, **kwargs):
@action(methods=["get"], detail=True)
def download(self, request, pk=None, file_field: str | None = None):
return FileDownloadMixin.download(self, request, pk, file_field=file_field)


class DisablePublicDownloadMixin:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a good addition! What do you think about the following approach: Implement two versions of the FileMixin, one that allows only upload, and one that allows upload and download? There is potential that having this disable makes it a bit messy regarding the mixins. If there were two options to choose from, it might be easier to realize that there is this difference

@henrinie-nc
Copy link
Contributor

Would it make sense to also test the serializers? Hopefully that would be rather simple, but would confirm they work as intended down the line.

henrinie-nc
henrinie-nc reviewed Feb 5, 2025
View reviewed changes
plotsearch/tests/api/test_plot_search.py
assert os.path.isfile(file_path) is True
response = admin_client.delete(url)

assert response.status_code == 405
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 405 could come from from rest_framework import status, status.HTTP_405_METHOD_NOT_ALLOWED

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@henrinie-nc That is a good and refined approach because it makes sure that the status code is exactly the same what Django Rest Framework uses, but I'm not sure if it's an improvement here over a plain understandable status code number.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed it doesnt add anything to the comparison, but I think it helps humans reading it to realize what is expected

juho-kettunen-nc
juho-kettunen-nc requested changes Feb 5, 2025
View reviewed changes
Copy link
Contributor

@juho-kettunen-nc juho-kettunen-nc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My change requests are about test understandability. I didn't find holes in the implementation when I tested it locally. Good work! Some of Henri's comments should be addressed or replied to.

plotsearch/tests/api/test_plot_search.py Show resolved Hide resolved
plotsearch/tests/api/test_plot_search.py Outdated Show resolved Hide resolved
plotsearch/tests/api/test_plot_search.py Show resolved Hide resolved
plotsearch/tests/api/test_plot_search.py Show resolved Hide resolved
plotsearch/tests/api/test_plot_search.py Outdated Show resolved Hide resolved
plotsearch/tests/api/test_plot_search.py
assert os.path.isfile(file_path) is True
response = admin_client.delete(url)

assert response.status_code == 405
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@henrinie-nc That is a good and refined approach because it makes sure that the status code is exactly the same what Django Rest Framework uses, but I'm not sure if it's an improvement here over a plain understandable status code number.

plotsearch/tests/serializers/test_plot_search_serializers.py Outdated Show resolved Hide resolved
plotsearch/tests/serializers/test_plot_search_serializers.py Outdated Show resolved Hide resolved
@NC-jsAhonen NC-jsAhonen force-pushed the MVJ-112-api-does-not-give-file-url-in-response branch from 4552312 to a2643e3 Compare February 6, 2025 11:41
juho-kettunen-nc
juho-kettunen-nc approved these changes Feb 7, 2025
View reviewed changes
Copy link
Contributor

@juho-kettunen-nc juho-kettunen-nc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My grievances have been addressed. We will fix merge conflicts later today, because my yesterday's merge touched the same files.

@NC-jsAhonen
remove unnecessary and sensitive data from attachment public endpoint…
d22333d 
… responses
@NC-jsAhonen
disable downloading in public attachment viewsets
7c1e9a3 
test_attachment_upload: remove docstring

test forms attachment upload and download: rename functions and improve comments

excluded attachment fields: improve commenting

use pytest raises

improve assert

test serializers
@NC-jsAhonen
AttachmentPublicViewset: add method not allowed to DELETE
98432fd
@NC-jsAhonen NC-jsAhonen force-pushed the MVJ-112-api-does-not-give-file-url-in-response branch 3 times, most recently from 1d75dba to 6004e28 Compare February 7, 2025 13:51
@NC-jsAhonen NC-jsAhonen force-pushed the MVJ-112-api-does-not-give-file-url-in-response branch from 6004e28 to 4b646a7 Compare February 7, 2025 14:23
@NC-jsAhonen NC-jsAhonen merged commit 2783b9e into develop Feb 7, 2025
2 checks passed
@NC-jsAhonen NC-jsAhonen deleted the MVJ-112-api-does-not-give-file-url-in-response branch February 7, 2025 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@henrinie-nc henrinie-nc henrinie-nc requested changes

@juho-kettunen-nc juho-kettunen-nc juho-kettunen-nc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NC-jsAhonen @henrinie-nc @juho-kettunen-nc