Implement disable/enable tree (#382)

* Implement disable/enable tree

* Update apispec

Author: DavidMStraub

alembic_users/versions/22c8d1fba959_add_trees_enabled.py

@@ -0,0 +1,28 @@
+"""Add trees.enabled
+
+Revision ID: 22c8d1fba959
+Revises: 66e56620891a
+Create Date: 2023-06-19 15:31:06.235185
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '22c8d1fba959'
+down_revision = '66e56620891a'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('trees', sa.Column('enabled', sa.Integer(), server_default='1', nullable=True))
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('trees', 'enabled')
+    # ### end Alembic commands ###

gramps_webapi/api/__init__.py

@@ -85,7 +85,12 @@
 )
 from .resources.transactions import TransactionsResource
 from .resources.translations import TranslationResource, TranslationsResource
-from .resources.trees import TreeResource, TreesResource
+from .resources.trees import (
+    DisableTreeResource,
+    EnableTreeResource,
+    TreeResource,
+    TreesResource,
+)
 from .resources.types import (
     CustomTypeResource,
     CustomTypesResource,
@@ -167,6 +172,8 @@ def register_endpt(resource: Type[Resource], url: str, name: str):
 # Trees
 register_endpt(TreeResource, "/trees/<string:tree_id>", "tree")
 register_endpt(TreesResource, "/trees/", "trees")
+register_endpt(DisableTreeResource, "/trees/<string:tree_id>/disable", "disable_tree")
+register_endpt(EnableTreeResource, "/trees/<string:tree_id>/enable", "enable_tree")
 # Types
 register_endpt(CustomTypeResource, "/types/custom/<string:datatype>", "custom-type")
 register_endpt(CustomTypesResource, "/types/custom/", "custom-types")

gramps_webapi/api/resources/token.py

@@ -35,6 +35,7 @@
     get_guid,
     get_name,
     get_permissions,
+    is_tree_disabled,
 )
 from ...auth.const import CLAIM_LIMITED_SCOPE, SCOPE_CREATE_ADMIN, SCOPE_CREATE_OWNER
 from ...const import TREE_MULTI
@@ -80,9 +81,11 @@ def post(self, args):
             abort(401)
         if not authorized(args.get("username"), args.get("password")):
             abort(403)
-        permissions = get_permissions(args["username"])
         user_id = get_guid(args["username"])
         tree_id = get_tree_id(user_id)
+        if is_tree_disabled(tree=tree_id):
+            abort(503)
+        permissions = get_permissions(args["username"])
         return get_tokens(
             user_id=user_id,
             permissions=permissions,
@@ -102,8 +105,10 @@ def post(self):
             username = get_name(user_id)
         except ValueError:
             abort(401)
-        permissions = get_permissions(username)
         tree_id = get_tree_id(user_id)
+        if is_tree_disabled(tree=tree_id):
+            abort(503)
+        permissions = get_permissions(username)
         return get_tokens(
             user_id=user_id,
             permissions=permissions,

gramps_webapi/api/resources/trees.py

@@ -29,9 +29,10 @@
 from webargs import fields
 from werkzeug.security import safe_join
 
-from ...auth import get_tree_usage, set_tree_quota
+from ...auth import disable_enable_tree, get_tree_usage, set_tree_quota
 from ...auth.const import (
     PERM_ADD_TREE,
+    PERM_DISABLE_TREE,
     PERM_EDIT_OTHER_TREE,
     PERM_EDIT_TREE,
     PERM_EDIT_TREE_QUOTA,
@@ -170,3 +171,36 @@ def put(self, args, tree_id: str):
                 if args.get(quota) is not None:
                     rv.update({quota: args[quota]})
         return rv
+
+
+class DisableEnableTreeResource(ProtectedResource):
+    """Base class for disabling or enabling a tree."""
+
+    def _post_disable_enable_tree(self, tree_id: str, disabled: bool):
+        """Disable or enable a tree."""
+        if current_app.config["TREE"] != TREE_MULTI:
+            abort(405)
+        if tree_id == "-":
+            # own tree
+            tree_id = get_tree_from_jwt()
+        if not tree_exists(tree_id):
+            abort(404)
+        require_permissions([PERM_DISABLE_TREE])
+        disable_enable_tree(tree=tree_id, disabled=disabled)
+        return "", 201
+
+
+class DisableTreeResource(DisableEnableTreeResource):
+    """Resource for disabling a tree."""
+
+    def post(self, tree_id: str):
+        """Disable a tree."""
+        return self._post_disable_enable_tree(tree_id=tree_id, disabled=True)
+
+
+class EnableTreeResource(DisableEnableTreeResource):
+    """Resource for enabling a tree."""
+
+    def post(self, tree_id: str):
+        """Disable a tree."""
+        return self._post_disable_enable_tree(tree_id=tree_id, disabled=False)

gramps_webapi/api/tasks.py

@@ -37,7 +37,6 @@
 from .util import (
     check_quota_people,
     get_config,
-    get_db_manager,
     get_db_outside_request,
     get_search_indexer,
     send_email,
@@ -93,8 +92,7 @@ def send_email_new_user(username: str, fullname: str, email: str, tree: str):
 def _search_reindex_full(tree) -> None:
     """Rebuild the search index."""
     indexer = get_search_indexer(tree)
-    db_manager = get_db_manager(tree)
-    db = db_manager.get_db().db
+    db = get_db_outside_request(tree=tree, view_private=True, readonly=True)
     try:
         indexer.reindex_full(db)
     finally:
@@ -110,8 +108,7 @@ def search_reindex_full(tree) -> None:
 def _search_reindex_incremental(tree) -> None:
     """Run an incremental reindex of the search index."""
     indexer = get_search_indexer(tree)
-    db_manager = get_db_manager(tree)
-    db = db_manager.get_db().db
+    db = get_db_outside_request(tree=tree, view_private=True, readonly=True)
     try:
         indexer.reindex_incremental(db)
     finally:
@@ -131,8 +128,7 @@ def import_file(tree: str, file_name: str, extension: str, delete: bool = True):
     if object_counts is None:
         raise ValueError(f"Failed importing {file_name}")
     check_quota_people(to_add=object_counts["people"], tree=tree)
-    db_manager = get_db_manager(tree)
-    db_handle = db_manager.get_db().db
+    db_handle = get_db_outside_request(tree=tree, view_private=True, readonly=True)
     run_import(
         db_handle=db_handle,
         file_name=file_name,

gramps_webapi/auth/__init__.py

@@ -351,6 +351,26 @@ def set_tree_quota(
     user_db.session.commit()  # pylint: disable=no-member
 
 
+def disable_enable_tree(tree: str, disabled: bool) -> None:
+    """Disable or enable a tree."""
+    query = user_db.session.query(Tree)  # pylint: disable=no-member
+    tree_obj = query.filter_by(id=tree).scalar()
+    if not tree_obj:
+        tree_obj = Tree(id=tree)
+    tree_obj.enabled = 0 if disabled else 1
+    user_db.session.add(tree_obj)  # pylint: disable=no-member
+    user_db.session.commit()  # pylint: disable=no-member
+
+
+def is_tree_disabled(tree: str) -> bool:
+    """Check if tree is disabled."""
+    query = user_db.session.query(Tree)  # pylint: disable=no-member
+    tree_obj = query.filter_by(id=tree).scalar()
+    if not tree_obj:
+        return False
+    return tree_obj.enabled == 0
+
+
 class User(user_db.Model):
     """User table class for sqlalchemy."""
 
@@ -393,6 +413,7 @@ class Tree(user_db.Model):
     quota_people = sa.Column(sa.Integer)
     usage_media = sa.Column(sa.Integer)
     usage_people = sa.Column(sa.Integer)
+    enabled = sa.Column(sa.Integer, default=1, server_default="1")
 
     def __repr__(self):
         """Return string representation of instance."""

gramps_webapi/auth/const.py

@@ -41,6 +41,7 @@
 PERM_EDIT_OTHER_TREE = "EditOtherTree"
 PERM_ADD_TREE = "AddTree"
 PERM_EDIT_TREE_QUOTA = "EditTreeQuota"
+PERM_DISABLE_TREE = "DisableTree"
 
 # User permissions
 PERM_ADD_USER = "AddUser"
@@ -110,6 +111,7 @@
     PERM_EDIT_OTHER_TREE,
     PERM_EDIT_TREE_QUOTA,
     PERM_ADD_TREE,
+    PERM_DISABLE_TREE,
 }
 
 # keys/values for user claims

gramps_webapi/data/apispec.yaml

@@ -6809,6 +6809,59 @@ paths:
         422:
           description: "Unprocessable Entity: Invalid token."
 
+  /trees/{tree_id}/disable:
+    parameters:
+      - name: tree_id
+        in: path
+        required: true
+        type: string
+        description: "The tree ID."
+    post:
+      tags:
+      - trees
+      summary: "Disable a tree."
+      operationId: disableTree
+      security:
+        - Bearer: []
+      responses:
+        201:
+          description: "OK: Successful operation."
+        401:
+          description: "Unauthorized: Missing authorization header."
+        403:
+          description: "Unauthorized: insufficient permissions."
+        404:
+          description: "Not found: tree does not exist."
+        405:
+          description: "Method Not Allowed in single-tree setup."
+
+
+  /trees/{tree_id}/enable:
+    parameters:
+      - name: tree_id
+        in: path
+        required: true
+        type: string
+        description: "The tree ID."
+    post:
+      tags:
+      - trees
+      summary: "Enable a tree."
+      operationId: enableTree
+      security:
+        - Bearer: []
+      responses:
+        201:
+          description: "OK: Successful operation."
+        401:
+          description: "Unauthorized: Missing authorization header."
+        403:
+          description: "Unauthorized: insufficient permissions."
+        404:
+          description: "Not found: tree does not exist."
+        405:
+          description: "Method Not Allowed in single-tree setup."
+
 
 ##############################################################################
 # Model definitions

tests/test_endpoints/test_trees.py

@@ -166,3 +166,97 @@ def test_rename_tree(self):
         )
         assert rv.status_code == 200
         assert rv.json == {"old_name": "my old name", "new_name": "my new name"}
+
+    def test_disable_tree(self):
+        # fetch tokens
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "owner", "password": "123"}
+        )
+        assert rv.status_code == 200
+        token_owner = rv.json["access_token"]
+        token_owner_refresh = rv.json["refresh_token"]
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "admin", "password": "123"}
+        )
+        assert rv.status_code == 200
+        token_admin = rv.json["access_token"]
+        # owner can't disable
+        rv = self.client.post(
+            BASE_URL + f"/trees/{self.tree}/disable",
+            headers={"Authorization": f"Bearer {token_owner}"},
+        )
+        assert rv.status_code == 403
+        # admin can disable
+        rv = self.client.post(
+            BASE_URL + f"/trees/{self.tree}/disable",
+            headers={"Authorization": f"Bearer {token_admin}"},
+        )
+        assert rv.status_code == 201
+        # token does not work
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "owner", "password": "123"}
+        )
+        assert rv.status_code == 503
+        rv = self.client.post(
+            BASE_URL + "/token/refresh/",
+            headers={"Authorization": f"Bearer {token_owner_refresh}"},
+        )
+        assert rv.status_code == 503
+        rv = self.client.post(
+            BASE_URL + f"/trees/{self.tree}/enable",
+            headers={"Authorization": f"Bearer {token_admin}"},
+        )
+        assert rv.status_code == 201
+        # works again
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "owner", "password": "123"}
+        )
+        assert rv.status_code == 200
+        rv = self.client.post(
+            BASE_URL + "/token/refresh/",
+            headers={"Authorization": f"Bearer {token_owner_refresh}"},
+        )
+        assert rv.status_code == 200
+        # and disable again
+        rv = self.client.post(
+            BASE_URL + f"/trees/{self.tree}/disable",
+            headers={"Authorization": f"Bearer {token_admin}"},
+        )
+        assert rv.status_code == 201
+        # token does not work
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "owner", "password": "123"}
+        )
+        assert rv.status_code == 503
+        rv = self.client.post(
+            BASE_URL + "/token/refresh/",
+            headers={"Authorization": f"Bearer {token_owner_refresh}"},
+        )
+        assert rv.status_code == 503
+        rv = self.client.post(
+            BASE_URL + f"/trees/{self.tree}/enable",
+            headers={"Authorization": f"Bearer {token_admin}"},
+        )
+        assert rv.status_code == 201
+        # works again
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "owner", "password": "123"}
+        )
+        assert rv.status_code == 200
+        rv = self.client.post(
+            BASE_URL + "/token/refresh/",
+            headers={"Authorization": f"Bearer {token_owner_refresh}"},
+        )
+        assert rv.status_code == 200
+
+    def test_disable_nonexistant_tree(self):
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "admin", "password": "123"}
+        )
+        assert rv.status_code == 200
+        token_admin = rv.json["access_token"]
+        rv = self.client.post(
+            BASE_URL + "/trees/idontexist/disable",
+            headers={"Authorization": f"Bearer {token_admin}"},
+        )
+        assert rv.status_code == 404