Merge pull request #1790 from dandi/1788-embargoed-dandiset-list

Return 401 on unauthenticated embargo dandiset list
dandi · Jan 3, 2024 · 73d1139 · 73d1139
2 parents 65eca4a + bc5ae46
commit 73d1139
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 3 deletions.
diff --git a/dandiapi/api/services/dandiset/exceptions.py b/dandiapi/api/services/dandiset/exceptions.py
@@ -5,3 +5,10 @@
 
 class DandisetAlreadyExistsError(DandiError):
     http_status_code = status.HTTP_400_BAD_REQUEST
+
+
+class UnauthorizedEmbargoAccess(DandiError):
+    http_status_code = status.HTTP_401_UNAUTHORIZED
+    message = (
+        'Authentication credentials must be provided when attempting to access embargoed dandisets'
+    )
diff --git a/dandiapi/api/tests/test_dandiset.py b/dandiapi/api/tests/test_dandiset.py
@@ -63,7 +63,8 @@ def test_dandiset_manager_visible_to(
 
 
 @pytest.mark.django_db()
-def test_dandiset_rest_list(api_client, dandiset):
+def test_dandiset_rest_list(api_client, user, dandiset):
+    # Test un-authenticated request
     assert api_client.get('/api/dandisets/', {'draft': 'true', 'empty': 'true'}).json() == {
         'count': 1,
         'next': None,
@@ -81,6 +82,15 @@ def test_dandiset_rest_list(api_client, dandiset):
         ],
     }
 
+    # Test request for embargoed dandisets while still un-authenticated
+    r = api_client.get('/api/dandisets/', {'draft': 'true', 'empty': 'true', 'embargoed': 'true'})
+    assert r.status_code == 401
+
+    # Test request for embargoed dandisets after authenticated
+    api_client.force_authenticate(user=user)
+    r = api_client.get('/api/dandisets/', {'draft': 'true', 'empty': 'true', 'embargoed': 'true'})
+    assert r.status_code == 200
+
 
 @pytest.mark.parametrize(
     ('params', 'results'),
@@ -303,7 +313,10 @@ def test_dandiset_rest_embargo_access(
         api_client.get(f'/api/dandisets/{dandiset.identifier}/').json()
         == expected_dandiset_serialization
     )
-    assert api_client.get('/api/dandisets/').json() == expected_visible_pagination
+    assert (
+        api_client.get('/api/dandisets/', {'embargoed': 'true'}).json()
+        == expected_visible_pagination
+    )
 
 
 @pytest.mark.django_db()

diff --git a/dandiapi/api/views/dandiset.py b/dandiapi/api/views/dandiset.py
@@ -22,6 +22,7 @@
 from dandiapi.api.mail import send_ownership_change_emails
 from dandiapi.api.models import Dandiset, Version
 from dandiapi.api.services.dandiset import create_dandiset, delete_dandiset
+from dandiapi.api.services.dandiset.exceptions import UnauthorizedEmbargoAccess
 from dandiapi.api.services.embargo import unembargo_dandiset
 from dandiapi.api.views.common import DANDISET_PK_PARAM, DandiPagination
 from dandiapi.api.views.serializers import (
@@ -119,6 +120,10 @@ def get_queryset(self):
             show_empty: bool = query_serializer.validated_data['empty']
             show_embargoed: bool = query_serializer.validated_data['embargoed']
 
+            # Return early if attempting to access embargoed data without authentication
+            if show_embargoed and not self.request.user.is_authenticated:
+                raise UnauthorizedEmbargoAccess()
+
             if not show_draft:
                 # Only include dandisets that have more than one version, i.e. published dandisets.
                 queryset = queryset.annotate(version_count=Count('versions')).filter(

diff --git a/dandiapi/api/views/serializers.py b/dandiapi/api/views/serializers.py
@@ -173,7 +173,7 @@ class Meta(DandisetSerializer.Meta):
 class DandisetQueryParameterSerializer(serializers.Serializer):
     draft = serializers.BooleanField(default=True)
     empty = serializers.BooleanField(default=True)
-    embargoed = serializers.BooleanField(default=True)
+    embargoed = serializers.BooleanField(default=False)
     user = serializers.CharField(required=False)