Observer role

hepdata/config.py

@@ -188,6 +188,7 @@ def _(x):
 CLIENT_TIMEOUT = 298  # Client-side timeout in s (should be slightly smaller than server timeout)
 SIZE_LOAD_CHECK_THRESHOLD = 1 * (1024 * 1024) # Size (bytes) threshold for immediate loading of a table on the records page.
 ADDITIONAL_SIZE_LOAD_CHECK_THRESHOLD = 1 * (1024 * 1024) # Size (bytes) threshold  for disallowing render of additional res files
+OBSERVER_KEY_LENGTH = 8 # The length that the UUID4 observer key is trimmed down to.
 
 CFG_PUB_TYPE = 'publication'
 CFG_DATA_TYPE = 'datatable'

hepdata/modules/converter/views.py

@@ -31,7 +31,7 @@
 from hepdata.config import CFG_CONVERTER_URL, CFG_SUPPORTED_FORMATS, CFG_CONVERTER_TIMEOUT
 
 from hepdata_converter_ws_client import convert, Error
-from hepdata.modules.permissions.api import user_allowed_to_perform_action
+from hepdata.modules.permissions.api import user_allowed_to_perform_action, verify_observer_key
 from hepdata.modules.converter import convert_zip_archive
 from hepdata.modules.submission.api import get_latest_hepsubmission
 from hepdata.modules.submission.models import HEPSubmission, DataResource, DataSubmission
@@ -133,6 +133,8 @@ def download_submission_with_recid(*args, **kwargs):
     :return: download_submission
     """
     recid = kwargs.pop('recid')
+    observer_key = request.args.get('observer_key')
+    key_verified = verify_observer_key(recid, observer_key)
 
     version_count, version_count_all = get_version_count(recid)
     if 'version' in kwargs:
@@ -142,7 +144,7 @@ def download_submission_with_recid(*args, **kwargs):
         version = version_count if version_count else 1
 
     # Check for a user trying to access a version of a publication record where they don't have permissions.
-    if version_count < version_count_all and version == version_count_all:
+    if version_count < version_count_all and version == version_count_all and not key_verified:
         abort(403)
 
     submission = HEPSubmission.query.filter_by(publication_recid=recid, version=version).first()
@@ -352,6 +354,8 @@ def download_data_table_by_recid(*args, **kwargs):
     recid = kwargs.pop('recid')
     table_name = kwargs.pop('table_name')
     rivet = kwargs.pop('rivet', '')
+    observer_key = request.args.get('observer_key')
+    key_verified = verify_observer_key(recid, observer_key)
 
     version_count, version_count_all = get_version_count(recid)
     if 'version' in kwargs:
@@ -361,9 +365,12 @@ def download_data_table_by_recid(*args, **kwargs):
         version = version_count if version_count else 1
 
     # Check for a user trying to access a version of a publication record where they don't have permissions.
-    if version_count < version_count_all and version == version_count_all:
+    if version_count < version_count_all and version == version_count_all and not key_verified:
         abort(403)
 
+    if not key_verified:
+        observer_key = None
+
     datasubmission = None
     original_table_name = table_name
     try:
@@ -389,7 +396,7 @@ def download_data_table_by_recid(*args, **kwargs):
 
     return download_datatable(datasubmission, kwargs.pop('file_format'),
                               submission_id='{0}'.format(recid), table_name=datasubmission.name,
-                              rivet_analysis_name=rivet,
+                              rivet_analysis_name=rivet, observer_key=observer_key,
                               yoda_keep_qualifiers=bool(request.args.get('qualifiers', False)))
 
 
@@ -419,8 +426,13 @@ def download_datatable(datasubmission, file_format, *args, **kwargs):
     """
 
     if file_format == 'json':
-        return redirect('/record/data/{0}/{1}/{2}'.format(datasubmission.publication_recid,
-                                                   datasubmission.id, datasubmission.version))
+        redirect_url = '/record/data/{0}/{1}/{2}'.format(datasubmission.publication_recid,
+                                                   datasubmission.id, datasubmission.version)
+        observer_key = kwargs.get("observer_key")
+        if observer_key:
+            redirect_url += f"?observer_key={observer_key}"
+        return redirect(redirect_url)
+
     elif file_format not in CFG_SUPPORTED_FORMATS:
         return display_error(
             title="The " + file_format + " output format is not supported",

hepdata/modules/dashboard/assets/js/hepdata_dashboard_manage_scripts.js

@@ -185,10 +185,31 @@ $(document).ready(function() {
       });
   }
 
+  function set_observer_key(recid) {
+    /**
+    * Sets the observer key value on the manage submission dashboard widget.
+    *
+    * @param {number} recid - The recid to get observer_key for.
+    */
+
+    // Call for observer key, with the flag to retrieve
+    let observer_promise = HEPDATA.get_observer_key_data(recid, 1);
+
+    observer_promise.then(function(observer_key) {
+      if(observer_key) {
+        // Unhide container, set value and text on the input
+        $('#data_link_container').removeAttr('hidden');
+        $('#direct_data_link').val(observer_key);
+      }
+    });
+    HEPDATA.setup_clipboard("#dashboard_button");
+  }
+
   $(document).on('click', '.manage-submission-trigger', function (event) {
       window.recid = $(this).attr('data-recid');
       HEPDATA.load_all_review_messages("#conversation", $(this).attr('data-recid'));
       process_reviews($(this).attr('data-recid'));
+      set_observer_key($(this).attr('data-recid'));
   });
 
   $(document).on('click', '.conversation-trigger', function (event) {

hepdata/modules/dashboard/templates/hepdata_dashboard/dashboard.html

@@ -7,6 +7,7 @@
 
 {%- block additional_assets %}
   {{ webpack['hepdata-info.css'] }}
+  {{ webpack['toastr.css'] }}
 {%- endblock additional_assets %}
 
 

hepdata/modules/dashboard/templates/hepdata_dashboard/manager-widget.html

@@ -29,10 +29,19 @@ <h4 class="modal-title" id="codeDialogLabel">Manage Submission</h4>
 
             </div>
             <div class="clearfix"></div>
-            <div class="modal-footer">
-                <button type="button" class="btn btn-default pull-right" data-dismiss="modal" aria-label="Close">Close
+            <div id="manager-footer" class="modal-footer">
+                <div id="data_link_message">
+                  You can use this URL to allow any user observer access without special permissions:
+                </div>
+                <div id="data_link_container" hidden>
+                  <input id="direct_data_link" class="data_link" value="" readonly>
+                  <button id="dashboard_button" class="btn btn-small copy-btn-style" data-clipboard-target="#direct_data_link">
+                    <i class="fa fa-copy" alt="Copy to clipboard"></i>
+                  </button>
+                </div>
+                <button id="manager-close" type="button" class="btn btn-default pull-right" data-dismiss="modal" aria-label="Close">
+                  Close
                 </button>
-
             </div>
         </div>
     </div>

hepdata/modules/email/api.py

@@ -34,7 +34,8 @@
 
 from hepdata.modules.permissions.models import CoordinatorRequest
 from hepdata.modules.submission.api import get_latest_hepsubmission, \
-    get_primary_submission_participants_for_record, get_submission_participants_for_record
+    get_primary_submission_participants_for_record, get_submission_participants_for_record, \
+    get_or_create_submission_observer
 from hepdata.modules.submission.models import HEPSubmission, DataSubmission, DataReview
 from hepdata.utils.users import get_user_from_id
 from invenio_accounts.models import User
@@ -460,6 +461,12 @@ def notify_submission_created(record, coordinator_id, uploader, reviewer):
 
     collaboration = _get_collaboration(coordinator_id)
 
+    # Get any SubmissionObserver object entry for this ID
+    submission_observer = get_or_create_submission_observer(record['recid'])
+
+    # Generate the observer access URL with key in
+    observer_url = f"{site_url}/record/{record['recid']}?observer_key={submission_observer.observer_key}"
+
     message_body = render_template('hepdata_theme/email/created.html',
                                    name=name,
                                    actor=coordinator.email,
@@ -469,7 +476,8 @@ def notify_submission_created(record, coordinator_id, uploader, reviewer):
                                    article=record['recid'],
                                    title=record['title'],
                                    site_url=site_url,
-                                   link=site_url + "/record/{0}".format(record['recid']))
+                                   link=site_url + "/record/{0}".format(record['recid']),
+                                   observer_url=observer_url)
 
     create_send_email_task(coordinator.email,
                            '[HEPData] Submission {0} has been created'.format(record['recid']),

hepdata/modules/permissions/api.py

@@ -19,19 +19,23 @@
 # In applying this license, CERN does not
 # waive the privileges and immunities granted to it by virtue of its status
 # as an Intergovernmental Organization or submit itself to any jurisdiction.
-
+import logging
 
 from functools import partial
 from operator import is_not
 
 from flask_login import current_user
 from sqlalchemy import or_
 
+from hepdata.config import OBSERVER_KEY_LENGTH
 from hepdata.modules.permissions.models import SubmissionParticipant, CoordinatorRequest
 from hepdata.modules.records.utils.common import get_record_contents
-from hepdata.modules.submission.models import HEPSubmission
+from hepdata.modules.submission.models import HEPSubmission, SubmissionObserver
 from hepdata.utils.users import get_user_from_id, user_is_admin
 
+logging.basicConfig()
+log = logging.getLogger(__name__)
+
 
 def get_records_participated_in_by_user(user):
     _current_user_id = user.id
@@ -194,3 +198,40 @@ def write_submissions_to_files():
 
     csvfile.close()
     csvfile1.close()
+
+
+def verify_observer_key(submission_id, observer_key):
+    """
+    Verifies the access key used to access a submission without
+    login requirement.
+    :param int submission_id:  The requested HEPSubmission for access
+    :param str observer_key: The access key used to access the submission
+    :returns: Bool representing match status against database
+    """
+
+    # Validate inputs
+    if submission_id is None or observer_key is None:
+        return False
+
+    try:
+        submission_id = int(submission_id)
+    except (ValueError, TypeError):
+        log.warning(f"Invalid submission_id format: {submission_id}")
+        return False
+
+    if len(observer_key) != OBSERVER_KEY_LENGTH:
+        log.warning(f"Invalid observer_key length for submission {submission_id}")
+        return False
+    try:
+        submission_observer = SubmissionObserver.query.filter_by(
+            publication_recid=submission_id,
+            observer_key=observer_key
+        ).first()
+
+        result = submission_observer is not None
+
+        return result
+
+    except Exception as e:
+        log.error(f"Database error in verify_observer_key: {e}")
+        return False

hepdata/modules/records/api.py

@@ -41,7 +41,7 @@
 from hepdata.modules.converter import convert_oldhepdata_to_yaml
 from hepdata.modules.email.api import send_cookie_email
 from hepdata.modules.email.utils import create_send_email_task
-from hepdata.modules.permissions.api import user_allowed_to_perform_action
+from hepdata.modules.permissions.api import user_allowed_to_perform_action, verify_observer_key
 from hepdata.modules.permissions.models import SubmissionParticipant
 from hepdata.modules.records.subscribers.api import is_current_user_subscribed_to_record
 from hepdata.modules.records.utils.common import decode_string, find_file_in_directory, allowed_file, \
@@ -51,7 +51,8 @@
 from hepdata.modules.records.utils.json_ld import get_json_ld
 from hepdata.modules.records.utils.submission import process_submission_directory, \
     create_data_review, cleanup_submission, clean_error_message_for_display
-from hepdata.modules.submission.api import get_latest_hepsubmission, get_submission_participants_for_record
+from hepdata.modules.submission.api import get_latest_hepsubmission, get_submission_participants_for_record, \
+    get_or_create_submission_observer
 from hepdata.modules.records.utils.users import get_coordinators_in_system, has_role
 from hepdata.modules.records.utils.workflow import update_action_for_submission_participant
 from hepdata.modules.records.utils.yaml_utils import split_files
@@ -62,7 +63,8 @@
     HEPSubmission,
     RecordVersionCommitMessage,
     RelatedRecid,
-    RelatedTable
+    RelatedTable,
+    SubmissionObserver
 )
 from hepdata.utils.file_extractor import extract
 from hepdata.utils.miscellaneous import sanitize_html, get_resource_data
@@ -370,7 +372,7 @@ def extract_journal_info(record):
             record['journal_info'] = "Conference Paper"
 
 
-def render_record(recid, record, version, output_format, light_mode=False):
+def render_record(recid, record, version, output_format, light_mode=False, observer_key=None):
 
     # Count number of all versions and number of finished versions of a publication record.
     version_count_all = HEPSubmission.query.filter(HEPSubmission.publication_recid == recid,
@@ -385,20 +387,24 @@ def render_record(recid, record, version, output_format, light_mode=False):
     if version == -1:
         version = version_count if version_count else 1
 
-    # Check for a user trying to access a version of a publication record where they don't have permissions.
-    if version_count < version_count_all and version == version_count_all:
-        # Prompt the user to login if they are not authenticated then redirect, otherwise return a 403 error.
-        if not current_user.is_authenticated:
-            redirect_url_after_login = '%2Frecord%2F{0}%3Fversion%3D{1}%26format%3D{2}'.format(recid, version, output_format)
-            if 'table' in request.args:
-                redirect_url_after_login += '%26table%3D{0}'.format(request.args['table'])
-            if output_format.startswith('yoda') and 'rivet' in request.args:
-                redirect_url_after_login += '%26rivet%3D{0}'.format(request.args['rivet'])
-            if output_format.startswith('yoda') and 'qualifiers' in request.args:
-                redirect_url_after_login += '%26qualifiers%3D{0}'.format(request.args['qualifiers'])
-            return redirect('/login/?next={0}'.format(redirect_url_after_login))
-        else:
-            abort(403)
+    key_verified = verify_observer_key(recid, observer_key)
+
+    # We skip the version check if the access key matches
+    if not key_verified:
+        # Check for a user trying to access a version of a publication record where they don't have permissions.
+        if version_count < version_count_all and version == version_count_all:
+            # Prompt the user to login if they are not authenticated then redirect, otherwise return a 403 error.
+            if not current_user.is_authenticated:
+                redirect_url_after_login = '%2Frecord%2F{0}%3Fversion%3D{1}%26format%3D{2}'.format(recid, version, output_format)
+                if 'table' in request.args:
+                    redirect_url_after_login += '%26table%3D{0}'.format(request.args['table'])
+                if output_format.startswith('yoda') and 'rivet' in request.args:
+                    redirect_url_after_login += '%26rivet%3D{0}'.format(request.args['rivet'])
+                if output_format.startswith('yoda') and 'qualifiers' in request.args:
+                    redirect_url_after_login += '%26qualifiers%3D{0}'.format(request.args['qualifiers'])
+                return redirect('/login/?next={0}'.format(redirect_url_after_login))
+            else:
+                abort(403)
 
     hepdata_submission = get_latest_hepsubmission(publication_recid=recid, version=version)
 
@@ -413,6 +419,16 @@ def render_record(recid, record, version, output_format, light_mode=False):
             ctx['record_type'] = 'publication'
             ctx['related_recids'] = get_record_data_list(hepdata_submission, "related")
             ctx['related_to_this_recids'] = get_record_data_list(hepdata_submission, "related_to_this")
+            ctx['overall_status'] = hepdata_submission.overall_status
+
+
+            if key_verified and observer_key:
+                ctx['observer_key'] = observer_key
+            elif hepdata_submission.overall_status == 'todo':
+                observer = get_or_create_submission_observer(hepdata_submission.publication_recid)
+
+                if observer and has_coordinator_permissions(recid, current_user):
+                    ctx['observer_key'] = observer.observer_key
 
             increment(recid)
 
@@ -541,7 +557,12 @@ def create_new_version(recid, user, notify_uploader=True, uploader_message=None)
                                            inspire_id=hepsubmission.inspire_id,
                                            coordinator=hepsubmission.coordinator,
                                            version=hepsubmission.version + 1)
+
+        # Gets a generated or new SubmissionObserver object
+        observer_key = get_or_create_submission_observer(_rev_hepsubmission.publication_recid, regenerate=True)
+
         db.session.add(_rev_hepsubmission)
+        db.session.add(observer_key)
         db.session.commit()
 
         if notify_uploader: