[ENG-10256] 2.1.9 BE: Fix permission issue where users without permission to an object can access the metadata (#11588)

* Fix permission issue where users without permission to an object can access the metadata (add decorator is_contributor_or_public_resource)

* refactor code

* resolve CR | refactor code

* resolve CR | add unittests

* add  *args, **kwargs for decorated view

Author: mkovalua

framework/auth/decorators.py

@@ -76,6 +76,29 @@ def wrapped(*args, **kwargs):
 
     return wrapped
 
+
+def is_contributor_or_public_resource(resource_kw='resource'):
+    """
+    Require that user be contributor or resource be public.
+    """
+    def decorator(func):
+        @wraps(func)
+        def wrapped(*args, **kwargs):
+            from osf.models import BaseFileNode, Guid
+            referent = kwargs.get(resource_kw)
+            if isinstance(referent, Guid):
+                referent = referent.referent
+            target_resource = referent.target if isinstance(referent, BaseFileNode) else referent
+            if target_resource.is_public:
+                return func(*args, **kwargs)
+            auth = Auth.from_kwargs(request.args.to_dict(), {})
+            if auth.logged_in and target_resource.is_contributor(auth.user):
+                return func(*args, **kwargs)
+            raise HTTPError(http_status.HTTP_403_FORBIDDEN)
+        return wrapped
+    return decorator
+
+
 # TODO Can remove after Waterbutler is sending requests to V2 endpoints.
 # This decorator has been adapted for use in an APIv2 parser - HMACSignedParser
 def must_be_signed(func):

tests/test_auth.py

@@ -722,6 +722,59 @@ def test_must_have_permission_not_logged_in(self, mock_from_kwargs, mock_to_node
             thriller(node=project)
         assert ctx.value.code == http_status.HTTP_401_UNAUTHORIZED
 
+    def decorated_view(self, *args, **kwargs):
+        return 'Success'
+
+    ## 1. Public Access
+    @mock.patch('framework.auth.decorators.Auth.from_kwargs')
+    def test_private_resource_not_allow_anonymous(self, mock_auth):
+        from framework.auth.decorators import is_contributor_or_public_resource
+        decorator = is_contributor_or_public_resource('resource')
+        project = ProjectFactory(is_public=False)
+        mock_auth.return_value = Auth(user=None)
+        decorated_func = decorator(self.decorated_view)
+        with decoratorapp.test_request_context():
+            with pytest.raises(HTTPError) as excinfo:
+                decorated_func(resource=project)
+            assert excinfo.value.code == http_status.HTTP_403_FORBIDDEN
+
+    @mock.patch('framework.auth.decorators.Auth.from_kwargs')
+    def test_public_resource_allow_anonymous(self, mock_auth):
+        from framework.auth.decorators import is_contributor_or_public_resource
+        decorator = is_contributor_or_public_resource('resource')
+        project = ProjectFactory(is_public=True)
+        mock_auth.return_value = Auth(user=None)
+        decorated_func = decorator(self.decorated_view)
+        with decoratorapp.test_request_context():
+            result = decorated_func(resource=project)
+            assert result == 'Success'
+
+    @mock.patch('framework.auth.decorators.Auth.from_kwargs')
+    def test_private_resource_allows_contributor(self, mock_auth):
+        from framework.auth.decorators import is_contributor_or_public_resource
+        user = UserFactory()
+        project = ProjectFactory(is_public=False)
+        project.add_contributor(user, save=True)
+        mock_auth.return_value = Auth(user=user)
+        decorator = is_contributor_or_public_resource('resource')
+        decorated_func = decorator(self.decorated_view)
+        with decoratorapp.test_request_context():
+            result = decorated_func(resource=project)
+            assert result == 'Success'
+
+    @mock.patch('framework.auth.decorators.Auth.from_kwargs')
+    def test_private_resource_not_allow_non_contributor_auth_user(self, mock_auth):
+        from framework.auth.decorators import is_contributor_or_public_resource
+        user = UserFactory()
+        project = ProjectFactory(is_public=False)
+        mock_auth.return_value = Auth(user=user)
+        decorator = is_contributor_or_public_resource('resource')
+        decorated_func = decorator(self.decorated_view)
+        with decoratorapp.test_request_context():
+            with pytest.raises(HTTPError) as excinfo:
+                decorated_func(resource=project)
+            assert excinfo.value.code == http_status.HTTP_403_FORBIDDEN
+
 
 def needs_addon_view(**kwargs):
     return 'openaddon'

website/views.py

@@ -11,7 +11,7 @@
 from flask import request, send_from_directory, Response, stream_with_context
 
 from framework.auth import Auth
-from framework.auth.decorators import must_be_logged_in
+from framework.auth.decorators import must_be_logged_in, is_contributor_or_public_resource
 from framework.auth.forms import SignInForm, ForgotPasswordForm
 from framework.exceptions import HTTPError
 from framework.flask import redirect  # VOL-aware redirect
@@ -297,7 +297,7 @@ def resolve_guid(guid, suffix=None):
     if clean_suffix == 'metadata':
         format_arg = request.args.get('format')
         if format_arg:
-            return guid_metadata_download(guid, resource, format_arg)
+            return guid_metadata_download(guid, resource=resource, metadata_format=format_arg)
         else:
             return use_ember_app()
 
@@ -401,6 +401,7 @@ def get_storage_region_list(user, node=False):
     return available_regions
 
 
+@is_contributor_or_public_resource('resource')
 def guid_metadata_download(guid, resource, metadata_format):
     try:
         result = pls_gather_metadata_file(resource, metadata_format)
@@ -422,4 +423,4 @@ def guid_metadata_download(guid, resource, metadata_format):
 def metadata_download(guid):
     format_arg = request.args.get('format', 'datacite-json')
     resource = Guid.load(guid)
-    return guid_metadata_download(guid, resource, format_arg)
+    return guid_metadata_download(guid, resource=resource, metadata_format=format_arg)