Skip to content

URL Menu configuration

Jump to bottom
Dave Lawrence edited this page Oct 12, 2020 · 1 revision

Background

It is useful to be able to disable / hide certain URLs for different deployments. For instance, Shariant is about sharing and classifying variants, so we wish to disable unneeded urls such as those for upload or analysis.

It is not just enough to hide the links to the URL, it is better to disable access to them completely. This produces a smaller area to test, and a smaller target for attackers.

Settings

VariantGrid uses settings to disable urls at the app level, or the url name level.

By default, all apps and URLs are visible.

To use these, create a settings file for your deployment then update them, eg:

# Completely hide all URLS from these apps 
URLS_APP_REGISTER.update({"analysis" : False,
                          "pathtests" : False,
                          "pedigree" : False,
                          "seqauto" : False,                          
                          "upload" : False})

# Disable selected urls
URLS_NAME_REGISTER.update({ "data" : False,
                            "upload" : False,})

Whitelists and blacklists

When configuring these settings, you may want to make a whitelist (everything disabled by default, have to explicitly allow through URLs) or a blacklist (everything enabled by default, set those that are blocked)

Each app/URL is looked up as a key in the settings dictionary, so you can make it either a black or white list by using a defaultdict with defaults as False or True.

Urls

Instead of path and re_path, use perm_path and re_perm_path

    perm_path('classifications', views.classifications, name='classifications'),
    re_perm_path('api/classifications/dbsnp/(?P<dbsnp_string>rs[a-zA-Z0-9\-]+)', views_rest.VariantClassificationForDbSNPView.as_view()),

These look in the settings, and if the url is not enabled (URLS_NAME_REGISTER[name] == False) then it sets the view for that URL route defaults.permission_denied (urls.urlpatterns errors on None)

Templates

The setting is automatically added to the context of all pages, so you can wrap tests around {% url %} tags in templates:

{% if url_name_visible.gene_lists %}
    <li id='gene-menu-link'><a href="{% url 'gene_lists' %}">Gene Lists</a></li>
{% endif %}

Note: urls from apps that are disabled via URLS_APP_REGISTER will not be registered at all, and thus if you don't wrap it in the above if test, you'll get a NoReverseMatch exception.

Clone this wiki locally