Merge pull request #64 from goat-community/feature/expressions

fix: add auth_lite to unique-value & enable auth_z for project publis…

Author: majkshkurti

src/endpoints/v2/layer.py

@@ -14,13 +14,15 @@
     HTTPException,
     Path,
     Query,
+    Request,
     UploadFile,
     status,
 )
 from fastapi.responses import FileResponse, JSONResponse
 from fastapi_pagination import Page
 from fastapi_pagination import Params as PaginationParams
 from pydantic import UUID4
+from sqlmodel import select
 
 from src.core.config import settings
 
@@ -32,15 +34,17 @@
 from src.crud.crud_layer import CRUDLayerDatasetUpdate, CRUDLayerExport, CRUDLayerImport
 from src.crud.crud_layer import layer as crud_layer
 from src.crud.crud_layer_project import layer_project as crud_layer_project
+from src.db.models._link_model import LayerProjectLink
 from src.db.models.layer import (
     FeatureUploadType,
     FileUploadType,
     Layer,
     LayerType,
     TableUploadType,
 )
+from src.db.models.project import ProjectPublic
 from src.db.session import AsyncSession
-from src.deps.auth import auth_z
+from src.deps.auth import auth_z, auth_z_lite
 from src.endpoints.deps import get_db, get_user_id
 from src.schemas.common import OrderEnum
 from src.schemas.error import HTTPErrorHandler
@@ -684,9 +688,10 @@ async def get_area_statistics(
     summary="Get unique values of a column",
     response_model=Page[IUniqueValue],
     status_code=200,
-    dependencies=[Depends(auth_z)],
+    # dependencies=[Depends(auth_z)],
 )
 async def get_unique_values(
+    request: Request,
     async_session: AsyncSession = Depends(get_db),
     page_params: PaginationParams = Depends(),
     layer_id: UUID4 = Path(
@@ -712,6 +717,30 @@ async def get_unique_values(
 ):
     """Get unique values of a column. Based on the passed CQL-filter and order."""
 
+    # Check authorization status
+    try:
+        await auth_z_lite(request, async_session)
+    except HTTPException:
+
+        public_layer = (
+            select(LayerProjectLink)
+            .join(
+                ProjectPublic,
+                LayerProjectLink.project_id == ProjectPublic.project_id,
+            )
+            .where(
+                LayerProjectLink.layer_id == layer_id,
+            )
+            .limit(1)
+        )
+        result = await async_session.execute(public_layer)
+        public_layer = result.scalars().first()
+        # Check if layer is public
+        if not public_layer:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized"
+            )
+
     with HTTPErrorHandler():
         values = await crud_layer.get_unique_values(
             async_session=async_session,

src/endpoints/v2/project.py

@@ -1,7 +1,16 @@
-from typing import List, Annotated
+from typing import List
 from uuid import UUID
 
-from fastapi import APIRouter, Body, Depends, HTTPException, Path, Query, status, Request
+from fastapi import (
+    APIRouter,
+    Body,
+    Depends,
+    HTTPException,
+    Path,
+    Query,
+    Request,
+    status,
+)
 from fastapi.responses import JSONResponse
 from fastapi_pagination import Page
 from fastapi_pagination import Params as PaginationParams
@@ -31,6 +40,7 @@
     IProjectRead,
     IRasterProjectRead,
     ITableProjectRead,
+    ProjectPublicRead,
 )
 from src.schemas.project import (
     request_examples as project_request_examples,
@@ -549,7 +559,7 @@ async def get_statistic_aggregation(
     expression: str | None = Query(
         None,
         description="The QGIS expression to use for the statistic operation",
-        example="sum(\"population\")",
+        example='sum("population")',
     ),
     size: int = Query(
         100, description="The number of grouped values to return", example=5
@@ -570,14 +580,16 @@ async def get_statistic_aggregation(
     # Check authorization status
     try:
         await auth_z_lite(request, async_session)
-    except HTTPException as e:
+    except HTTPException:
         # Check publication status if unauthorized
         public_project = await crud_project.get_public_project(
             async_session=async_session,
             project_id=str(project_id),
         )
         if not public_project:
-            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized")
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized"
+            )
 
     # Ensure an operation or expression is specified
     if operation is None and expression is None:
@@ -587,12 +599,16 @@ async def get_statistic_aggregation(
         )
 
     # Ensure a column name is specified for all operations except count
-    if operation and operation != ColumnStatisticsOperation.count and column_name is None:
+    if (
+        operation
+        and operation != ColumnStatisticsOperation.count
+        and column_name is None
+    ):
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail="A column name must be specified for all operations except count.",
         )
-    
+
     # If an operation is specified, a group-by column name must also be specified
     if operation and group_by_column_name is None:
         raise HTTPException(
@@ -670,14 +686,16 @@ async def get_statistic_histogram(
     # Check authorization status
     try:
         await auth_z_lite(request, async_session)
-    except HTTPException as e:
+    except HTTPException:
         # Check publication status if unauthorized
         public_project = await crud_project.get_public_project(
             async_session=async_session,
             project_id=str(project_id),
         )
         if not public_project:
-            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized")
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized"
+            )
 
     # Ensure the number of bins is not excessively large
     if num_bins > 100:
@@ -979,6 +997,8 @@ async def delete_scenario_features(
 @router.get(
     "/{project_id}/public",
     summary="Get public project",
+    response_model=ProjectPublicRead | None,
+    response_model_exclude_none=True,
 )
 async def get_public_project(
     project_id: str,
@@ -997,7 +1017,7 @@ async def get_public_project(
 @router.post(
     "/{project_id}/publish",
     summary="Publish a project",
-    # dependencies=[Depends(auth_z)],
+    dependencies=[Depends(auth_z)],
 )
 async def publish_project(
     project_id: str,
@@ -1016,7 +1036,7 @@ async def publish_project(
 @router.delete(
     "/{project_id}/unpublish",
     summary="Unpublish a project",
-    # dependencies=[Depends(auth_z)],
+    dependencies=[Depends(auth_z)],
 )
 async def unpublish_project(
     project_id: str,

src/schemas/project.py

@@ -247,7 +247,7 @@ class ProjectPublicProjectConfig(BaseModel):
     id: UUID = Field(..., description="Project ID")
     name: str = Field(..., description="Project name")
     description: str | None = Field(..., description="Project description")
-    tags: List[str] | None = Field(..., description="Project tags")
+    tags: List[str] | None = Field(None, description="Project tags")
     thumbnail_url: HttpUrl | None = Field(None, description="Project thumbnail URL")
     initial_view_state: InitialViewState = Field(
         ..., description="Initial view state of the project"