Merge pull request #1359 from EsupPortail/dev_v4

[RELEASE] 4.0.2

Author: Badatos

.github/pull_request_template.md

@@ -2,4 +2,4 @@
 
 * [ ] You have read our [contribution guidelines](https://github.com/EsupPortail/Esup-Pod/blob/master/CONTRIBUTING.md).
 * [ ] Your PR targets the `dev_v4` branch.
-* [ ] Your PR status is in `draft` if it's still a work in progress.
+* [ ] Your PR status is in `draft` if it’s still a work in progress.

.github/workflows/code_formatting.yml

@@ -3,7 +3,7 @@ name: Code Formatting
 
 on:
   push:
-    branches: [master, develop, main, pod_V4]
+    branches: [master, develop, main, dev_v4]
   workflow_dispatch:
 
 jobs:

.gitignore

@@ -90,3 +90,6 @@ v8-compile-cache-0
 pod/db_migrations
 tmp/
 pod/.yarn
+
+# Ignore vscode AI rules
+.github/instructions/codacy.instructions.md

CONFIGURATION_FR.md

@@ -801,6 +801,11 @@ Mettre `USE_AI_ENHANCEMENT` à True pour activer cette application.<br>
   >> Les personnes ayant pour affiliation les valeurs<br>
   >> renseignées dans cette variable ont automatiquement<br>
   >> la valeur staff de leur compte à True.<br>
+* `ALLOWED_SUPERUSER_IPS`
+  > valeur par défaut : `[]`
+  >> Liste d’IP et/ou de plages depuis lesquelles le statut 'superuser'<br>
+  >> est autorisé.<br>
+  >> Laissez vide pour autoriser toutes les sources.<br>
 * `AUTH_CAS_USER_SEARCH`
   > valeur par défaut : `user`
   >> Variable utilisée pour trouver les informations de l’individu<br>
@@ -1245,7 +1250,7 @@ Mettre `USE_IMPORT_VIDEO` à True pour activer cette application.<br>
   > valeur par défaut : `False`
   >> Mode webtv permet de basculer POD en une application webtv ensupprimant les boutons de connexions par exemple<br>
 * `SOCIAL_SHARE`
-  > valeur par défaut : `['X', 'FACEBOOK', 'LINKEDIN', 'BLUESKY']`
+  > valeur par défaut : `['X', 'FACEBOOK', 'LINKEDIN', 'BLUESKY', 'MASTODON']`
   >> Choix d'affichage des liens de partage des réseaux sociaux<br>
 
 ### Configuration de l’application meeting

Makefile

@@ -79,6 +79,7 @@ tests:
 
 # Ensure coherence of all code style
 pystyle:
+	black . -l 90
 	flake8
 
 # Collects all static files inside all apps and put a copy inside the static directory declared in settings.py
@@ -92,6 +93,10 @@ createconfigs:
 	python3 -Wd manage.py createconfiguration fr
 	python3 -Wd manage.py createconfiguration en
 
+# Create a superuser
+createsuperuser:
+	python3 manage.py createsuperuser
+
 # -- Docker
 # Use for docker run and docker exec commands
 -include .env.dev

pod/authentication/IPRestrictionMiddleware.py

@@ -0,0 +1,62 @@
+"""
+Esup-Pod IP Restriction middleware.
+
+Ensure that only allowed IPs can access superuser privileges.
+"""
+
+import ipaddress
+from django.utils.translation import gettext_lazy as _
+
+
+def ip_in_allowed_range(ip) -> bool:
+    """Make sure the IP is one of the authorized ones."""
+    from django.conf import settings
+
+    ALLOWED_SUPERUSER_IPS = getattr(settings, "ALLOWED_SUPERUSER_IPS", [])
+
+    try:
+        ip_obj = ipaddress.ip_address(ip)
+    except ValueError:
+        return False
+
+    if not ALLOWED_SUPERUSER_IPS:
+        # Allow every clients
+        return True
+
+    for allowed in ALLOWED_SUPERUSER_IPS:
+        try:
+            if is_allowed(ip_obj, allowed):
+                return True
+        except ValueError:
+            continue
+    return False
+
+
+def is_allowed(ip_obj, allowed):
+    """Check if ip object is included in allowed list."""
+    if "/" in allowed:
+        net = ipaddress.ip_network(allowed, strict=False)
+        if ip_obj in net:
+            return True
+    else:
+        if ip_obj == ipaddress.ip_address(allowed):
+            return True
+    return False
+
+
+class IPRestrictionMiddleware:
+    def __init__(self, get_response) -> None:
+        self.get_response = get_response
+
+    def __call__(self, request):
+        ip = request.META.get("REMOTE_ADDR")
+        user = request.user
+
+        if user.is_authenticated and user.is_superuser:
+            if not ip_in_allowed_range(ip):
+                user.is_superuser = False
+                user.last_name = _(
+                    "%(last_name)s (Restricted - IP %(ip)s not allowed)"
+                ) % {"last_name": user.last_name, "ip": ip}
+
+        return self.get_response(request)

pod/authentication/tests/test_IPRestrictionMiddleware.py

@@ -0,0 +1,108 @@
+"""
+Esup-Pod IP Restriction Middleware test cases.
+
+Run tests with:
+    python manage.py test pod.authentication.tests.test_IPRestrictionMiddleware
+"""
+
+from django.contrib.auth.models import User
+from django.test import TestCase, override_settings
+from django.test.client import RequestFactory
+from unittest import mock
+
+
+def check_ip_in_allowed_range(ip, allowed, expected) -> None:
+    """Helper function to test if a given IP is within allowed ranges."""
+    with mock.patch("django.conf.settings") as settings:
+        from pod.authentication.IPRestrictionMiddleware import ip_in_allowed_range
+
+        settings.ALLOWED_SUPERUSER_IPS = allowed
+        assert ip_in_allowed_range(ip) is expected
+
+
+class IPRestrictionMiddlewareTestCase(TestCase):
+    """IP Restriction Middleware Test Case."""
+
+    def setUp(self) -> None:
+        """Tnitializes test users and request factory.."""
+
+        self.admin = User.objects.create(
+            first_name="pod",
+            last_name="Admin",
+            username="admin",
+            is_superuser=True,
+        )
+
+        self.simple_user = User.objects.create(
+            first_name="Pod",
+            last_name="User",
+            username="pod",
+        )
+
+        self.factory = RequestFactory()
+
+    def test_ip_in_allowed_ranges(self) -> None:
+        """Tests IP range matching logic."""
+        for params in [
+            ("192.168.1.10", ["192.168.1.0/24"], True),
+            ("192.168.1.10", ["10.0.0.0/8"], False),
+            ("10.0.0.1", ["10.0.0.1"], True),
+            ("invalid_ip", ["192.168.1.0/24"], False),
+            ("10.11.12.13", [], True),
+            ("10.11.12.13", [""], False),
+        ]:
+            check_ip_in_allowed_range(*params)
+
+    def test_simpleuser(self) -> None:
+        """Ensures regular users are not affected by IP restrictions."""
+        from pod.authentication.IPRestrictionMiddleware import IPRestrictionMiddleware
+
+        get_response = mock.MagicMock()
+        middleware = IPRestrictionMiddleware(get_response)
+
+        request = self.factory.get("/")
+        request.user = self.simple_user
+        response = middleware(request)
+
+        # ensure get_response has been returned
+        self.assertEqual(get_response.return_value, response)
+        self.assertFalse(request.user.is_superuser)
+        self.assertEqual(request.user.last_name, self.simple_user.last_name)
+
+    @override_settings(
+        ALLOWED_SUPERUSER_IPS=["127.0.0.1/24"],
+    )
+    def test_superuser_ip_allowed(self) -> None:
+        """Verifies superuser access when IP is allowed."""
+        from pod.authentication.IPRestrictionMiddleware import IPRestrictionMiddleware
+
+        get_response = mock.MagicMock()
+        middleware = IPRestrictionMiddleware(get_response)
+
+        request = self.factory.get("/")
+        request.user = self.admin
+        self.assertTrue(request.user.is_superuser)
+        response = middleware(request)
+
+        # ensure get_response has been returned
+        self.assertEqual(get_response.return_value, response)
+        self.assertTrue(request.user.is_superuser)
+        self.assertEqual(request.user.last_name, self.admin.last_name)
+
+    @override_settings(
+        ALLOWED_SUPERUSER_IPS=["10.0.0.0/8"],
+    )
+    def test_superuser_ip_not_allowed(self) -> None:
+        """Verifies superuser access is revoked when IP is not allowed."""
+        from pod.authentication.IPRestrictionMiddleware import IPRestrictionMiddleware
+
+        get_response = mock.MagicMock()
+        middleware = IPRestrictionMiddleware(get_response)
+
+        request = self.factory.get("/")
+        request.user = self.admin
+        self.assertTrue(request.user.is_superuser)
+
+        middleware(request)
+        self.assertFalse(request.user.is_superuser)
+        self.assertTrue("127.0.0.1" in request.user.last_name)

pod/authentication/tests/test_models.py

@@ -1,4 +1,8 @@
-"""Esup-Pod authentication models test cases."""
+"""
+Esup-Pod authentication models test cases.
+
+Test with `python manage.py test pod.authentication.tests.test_models`
+"""
 
 from django.test import TestCase
 from pod.authentication.models import Owner, AccessGroup

pod/chapter/views.py

@@ -18,8 +18,6 @@
 from pod.main.utils import is_ajax
 import json
 
-__AVAILABLE_ACTIONS__ = ["new", "save", "modify", "delete", "cancel", "import", "export"]
-
 
 @csrf_protect
 @login_required(redirect_field_name="referrer")
@@ -39,20 +37,25 @@ def video_chapter(request, slug):
 
     list_chapter = video.chapter_set.all()
 
-    if request.method == "POST":
-        if (
-            request.POST.get("action")
-            and request.POST.get("action") in __AVAILABLE_ACTIONS__
-        ):
-            return eval(
-                "video_chapter_{0}(request, video)".format(request.POST.get("action"))
-            )
-    else:
-        return render(
-            request,
-            "video_chapter.html",
-            {"video": video, "list_chapter": list_chapter},
-        )
+    if request.method == "POST" and request.POST.get("action"):
+        action = request.POST["action"]
+        ACTION_HANDLERS = {
+            "new": video_chapter_new,
+            "save": video_chapter_save,
+            "modify": video_chapter_modify,
+            "delete": video_chapter_delete,
+            "cancel": video_chapter_cancel,
+            "import": video_chapter_import,
+        }
+        if action in ACTION_HANDLERS:
+            handler = ACTION_HANDLERS.get(action)
+            if handler:
+                return handler(request, video)
+    return render(
+        request,
+        "video_chapter.html",
+        {"video": video, "list_chapter": list_chapter},
+    )
 
 
 def video_chapter_new(request, video):

pod/completion/static/css/completion.css

@@ -54,7 +54,6 @@ table#list-contributor thead th.contributor-name {
 .grid-list-track .thead-title {
   margin: 0;
   padding-right: 20px;
-  color: var(--pod-primary);
   word-wrap: break-word;
   font-weight: 600;
 }