From 32680e3a0ef00d26241f106686c74c75058b3c4e Mon Sep 17 00:00:00 2001 From: mauzey1 Date: Tue, 17 Nov 2020 11:49:10 -0800 Subject: [PATCH] Use the allowed list of projects if none are passed to the API, and only allow projects with the exact case as those in the allowed list. --- esgf_wget/views.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/esgf_wget/views.py b/esgf_wget/views.py index a1d3bcf..38b399b 100644 --- a/esgf_wget/views.py +++ b/esgf_wget/views.py @@ -209,13 +209,13 @@ def generate_wget_script(request): '{project}, is not allowed to be accessed by this site. ' \ 'Please redo your query with unrestricted data only, ' \ 'and request {project} data from another site.' - projects_lower = [x.lower() for x in allowed_projects] # Check project parameter if param in [FIELD_PROJECT]: for v in split_value_list: - if v.lower() not in projects_lower: + if v not in allowed_projects: return HttpResponseBadRequest(msg.format(project=v)) # Check ID parameters + projects_lower = [x.lower() for x in allowed_projects] if param in ID_FIELDS: for v in split_value_list: p = v.split('.')[0] @@ -228,6 +228,15 @@ def generate_wget_script(request): fq = '{}:({})'.format(param, ' || '.join(split_value_list)) file_query.append(fq) + # If the projects were not passed and the allowed projects list exists, + # then use the allowed projects as the project query + if not url_params.get(FIELD_PROJECT) and allowed_projects: + if len(allowed_projects) == 1: + fq = '{}:{}'.format(FIELD_PROJECT, allowed_projects[0]) + else: + fq = '{}:({})'.format(FIELD_PROJECT, ' || '.join(allowed_projects)) + file_query.append(fq) + # Get facets for the file name, URL, checksum file_attribute_set = set(['title', 'url', 'checksum_type', 'checksum'])