use middleware

Amsterdam · Feb 11, 2025 · a712390 · a712390
1 parent e4ee5aa
commit a712390
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 22 deletions.
diff --git a/app/apps/cases/middleware.py b/app/apps/cases/middleware.py
@@ -0,0 +1,30 @@
+import re
+
+from django.http import JsonResponse
+from django.shortcuts import get_object_or_404
+from rest_framework import status
+
+from .models import Case
+
+
+class SensitiveCaseMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+        if request.path.startswith("/api/v1/cases/"):
+            match = re.match(r"^/api/v1/cases/(\d+)/", request.path)
+            if match:
+                case_id = match.group(1)
+                case = get_object_or_404(Case, pk=case_id)
+                if (
+                    case.sensitive
+                    and request.user.is_authenticated
+                    and not request.user.has_perm("users.access_sensitive_dossiers")
+                ):
+                    return JsonResponse(
+                        {"detail": "Forbidden"}, status=status.HTTP_403_FORBIDDEN
+                    )
+
+        return response
diff --git a/app/apps/events/mixins.py b/app/apps/events/mixins.py
@@ -14,10 +14,10 @@ class CaseEventsMixin:
     def events(self, request, pk):
         try:
             case = Case.objects.get(pk=pk)
-            if case.sensitive and not request.user.has_perm(
-                "users.access_sensitive_dossiers"
-            ):
-                return Response(status=status.HTTP_403_FORBIDDEN)
+            # if case.sensitive and not request.user.has_perm(
+            #     "users.access_sensitive_dossiers"
+            # ):
+            #     return Response(status=status.HTTP_403_FORBIDDEN)
         except Case.DoesNotExist:
             return Response(status=status.HTTP_404_NOT_FOUND)
 

diff --git a/app/apps/workflow/views.py b/app/apps/workflow/views.py
@@ -494,6 +494,12 @@ def complete_task(self, request):
             task = CaseUserTask.objects.get(
                 id=data["case_user_task_id"], completed=False
             )
+
+            if task.case.sensitive and not request.user.has_perm(
+                "users.access_sensitive_dossiers"
+            ):
+                return Response(status=status.HTTP_403_FORBIDDEN)
+
             from .user_tasks import get_task_by_name
 
             user_task_type = get_task_by_name(task.task_name)

diff --git a/app/config/settings.py b/app/config/settings.py
@@ -104,7 +104,22 @@
         "OPTIONS": {"sslmode": "allow", "connect_timeout": 5},
     },
 }
-
+REST_FRAMEWORK = {
+    "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.LimitOffsetPagination",
+    "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
+    "PAGE_SIZE": 500,
+    "DATETIME_FORMAT": "%Y-%m-%dT%H:%M:%S%z",
+    "DEFAULT_RENDERER_CLASSES": (
+        "rest_framework.renderers.JSONRenderer",
+        "rest_framework.renderers.BrowsableAPIRenderer",
+    ),
+    "DEFAULT_PERMISSION_CLASSES": ("apps.users.permissions.IsInAuthorizedRealm",),
+    "DEFAULT_AUTHENTICATION_CLASSES": (
+        "apps.users.auth.AuthenticationClass",
+        "rest_framework.authentication.TokenAuthentication",
+    ),
+    "EXCEPTION_HANDLER": "utils.exceptions.custom_exception_handler",
+}
 MIDDLEWARE = (
     "opencensus.ext.django.middleware.OpencensusMiddleware",
     "corsheaders.middleware.CorsMiddleware",
@@ -119,6 +134,7 @@
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "axes.middleware.AxesMiddleware",
+    "apps.cases.middleware.SensitiveCaseMiddleware",
 )
 
 STATIC_URL = "/static/"
@@ -150,22 +166,6 @@
     },
 ]
 
-REST_FRAMEWORK = {
-    "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.LimitOffsetPagination",
-    "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
-    "PAGE_SIZE": 500,
-    "DATETIME_FORMAT": "%Y-%m-%dT%H:%M:%S%z",
-    "DEFAULT_RENDERER_CLASSES": (
-        "rest_framework.renderers.JSONRenderer",
-        "rest_framework.renderers.BrowsableAPIRenderer",
-    ),
-    "DEFAULT_PERMISSION_CLASSES": ("apps.users.permissions.IsInAuthorizedRealm",),
-    "DEFAULT_AUTHENTICATION_CLASSES": (
-        "apps.users.auth.AuthenticationClass",
-        "rest_framework.authentication.TokenAuthentication",
-    ),
-    "EXCEPTION_HANDLER": "utils.exceptions.custom_exception_handler",
-}
 
 SPECTACULAR_SETTINGS = {
     "SCHEMA_PATH_PREFIX": "/api/v[0-9]/",
@@ -301,7 +301,7 @@ def filter_traces(envelope):
 LOCAL_DEVELOPMENT_AUTHENTICATION = (
     os.getenv("LOCAL_DEVELOPMENT_AUTHENTICATION", False) == "True"
 )
-
+LOCAL_DEVELOPMENT_AUTHENTICATION = False
 DATA_UPLOAD_MAX_MEMORY_SIZE = 5242880
 DATA_UPLOAD_MAX_NUMBER_FIELDS = 6000