Preference authorization processor (#8915)

* Add processor for preference authorization * Require authorization for `json` and `yml` prefs
internetarchive · Apr 4, 2024 · e52cda7 · e52cda7
1 parent e8be8d9
commit e52cda7
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/openlibrary/plugins/openlibrary/code.py b/openlibrary/plugins/openlibrary/code.py
@@ -46,6 +46,7 @@
 delegate.app.add_processor(processors.ReadableUrlProcessor())
 delegate.app.add_processor(processors.ProfileProcessor())
 delegate.app.add_processor(processors.CORSProcessor(cors_prefixes={'/api/'}))
+delegate.app.add_processor(processors.PreferenceProcessor())
 
 try:
     from infogami.plugins.api import code as api

diff --git a/openlibrary/plugins/openlibrary/processors.py b/openlibrary/plugins/openlibrary/processors.py
@@ -1,8 +1,10 @@
 """web.py application processors for Open Library.
 """
 
+import re
 import web
 
+from openlibrary.accounts import get_current_user
 from openlibrary.core.processors import ReadableUrlProcessor
 
 from openlibrary.core import helpers as h
@@ -86,6 +88,27 @@ def add_cors_headers(self):
         web.header("Access-Control-Max-Age", 3600 * 24)  # one day
 
 
+class PreferenceProcessor:
+    """Processor to handle unauthorized patron preferece reads"""
+
+    def __init__(self):
+        self.pref_pattern = re.compile(r'^\/people\/([^/]+)\/preferences(.json|.yml)?$')
+
+    def __call__(self, handler):
+        if self.pref_pattern.match(web.ctx.path):
+            user = get_current_user()
+            if not user:
+                # Must be logged in to see preferences
+                raise web.Unauthorized()
+
+            username = web.ctx.path.split('/')[2]
+            if username != user.get_username() and not user.is_admin():
+                # Can only view preferences if page owner or admin
+                raise web.Forbidden()
+
+        return handler()
+
+
 if __name__ == "__main__":
     import doctest