feat: Attempt to add a /reset endpoint (and fix job_access)

xchem · Jan 22, 2025 · 669ac5d · 669ac5d
1 parent 7a61fb6
commit 669ac5d
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/api/urls.py b/api/urls.py
@@ -1,3 +1,4 @@
+from django.conf import settings
 from django.conf.urls import include
 from django.urls import path
 from rest_framework.authtoken import views as drf_views
@@ -130,9 +131,6 @@
     basename='computedset_download',
 )
 
-# The 'dangerous' Database 'reset' endpoint
-router.register("reset", viewer_views.ResetView, basename='reset')
-
 # Squonk Jobs
 router.register(
     "job_file_transfer", viewer_views.JobFileTransferView, basename='job_file_transfer'
@@ -162,3 +160,8 @@ def schema_view(request):
     path("swagger/", schema_view),
     path('token/', viewer_views.TokenView.as_view(), name="token_view"),
 ]
+
+# The _dangerous_ database and media 'reset' endpoint.
+# Available only when the deployment is NOT 'PRODUCTION'
+if settings.DEPLOYMENT_MODE != "PRODUCTION":
+    urlpatterns += [path("reset/", viewer_views.ResetView.as_view(), name='reset')]
diff --git a/viewer/views.py b/viewer/views.py
@@ -1904,7 +1904,7 @@ def get_serializer_class(self):
     def create(self, request):
         """Method to handle POST request"""
         logger.info('+ JobFileTransferView.post')
-        # Only authenticated users can transfer files to sqonk
+        # Only authenticated users can transfer files to squonk
         user = self.request.user
         if not user.is_authenticated:
             content: Dict[str, Any] = {
@@ -2541,7 +2541,7 @@ class JobAccessView(viewsets.ReadOnlyModelViewSet):
     the Job 'owner', who always has access.
     """
 
-    def list(self, request):
+    def retrieve(self, request):
         """Method to handle GET request"""
         query_params = request.query_params
         logger.info('+ JobAccessView/GET %s', json.dumps(query_params))
@@ -2649,14 +2649,23 @@ def list(self, request):
 
 
 class ResetView(viewsets.ModelViewSet):
-    """Resets the database. Available only on developer stacks."""
+    """Resets the database. Typically only available as a URL when the
+    stack deployment mode is _NOT_ 'PRODUCTION'. Additionally, it is only
+    available to the Django superuser, or anyone with"""
 
     def create(self, request):
         """Method to handle POST request (reset)"""
         del request
         logger.info('+ ResetView.post')
 
-        return Response("", status=status.HTTP_204_NO_CONTENT)
+        user = self.request.user
+        if not user.is_authenticated or not user.is_staff:
+            content: Dict[str, Any] = {
+                'error': 'Only STAFF (Admin) users can use this endpoint'
+            }
+            return Response(content, status=status.HTTP_403_FORBIDDEN)
+
+        return Response(status=status.HTTP_205_RESET_CONTENT)
 
 
 class ServiceStateView(View):