Merge pull request #477 from xchem/m2ms-1153-upload-auth

fix: LHS upload requires authentication (issue 1153)
xchem · Dec 19, 2023 · 0b2ddb6 · 0b2ddb6
2 parents a8d359f + f1be930
commit 0b2ddb6
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/viewer/views.py b/viewer/views.py
@@ -1527,7 +1527,7 @@ def create(self, request):
             return Response(content, status=status.HTTP_208_ALREADY_REPORTED)
 
 
-class UploadTargetExperiments(viewsets.ModelViewSet):
+class UploadTargetExperiments(ISpyBSafeQuerySet):
     serializer_class = serializers.TargetExperimentWriteSerializer
     permission_class = [permissions.IsAuthenticated]
     http_method_names = ('post',)
@@ -1549,8 +1549,20 @@ def create(self, request, *args, **kwargs):
         contact_email = serializer.validated_data['contact_email']
         filename = serializer.validated_data['file']
 
-        # I'm not creating ExperimentUpload object here, so I
-        # suppose there's no point in keeping this as ModelViewSet
+        if settings.AUTHENTICATE_UPLOAD:
+            user = self.request.user
+            if not user.is_authenticated:
+                return redirect(settings.LOGIN_URL)
+            else:
+                if target_access_string not in self.get_proposals_for_user(user):
+                    return Response(
+                        {
+                            "target_access_string": [
+                                f"User {user} is not authorized to upload data to {target_access_string}"
+                            ]
+                        },
+                        status=status.HTTP_400_BAD_REQUEST,
+                    )
 
         # memo to self: cannot use TemporaryDirectory here because task
         temp_path = Path(settings.MEDIA_ROOT).joinpath('tmp')