Add force permission to bypass server policy

pietroborrello · pietroborrello · commit dfacaf8f1ad0 · 2022-01-10T17:49:45.000+01:00
diff --git a/README.md b/README.md
@@ -30,7 +30,8 @@ Authentication is handled via tokens defined in `tokens.json`. The file has the
         "search": true,
         "read": true,
         "write": true,
-        "delete": true
+        "delete": true,
+        "force":true
     },
     "token2": {
         "search": true,
@@ -47,6 +48,7 @@ The permissions are:
 * `read`: Get a bibliography entry based on an identifier
 * `write`: Add or modify bibliography entries
 * `delete`: Delete bibliography entries
+* `force`: Allow bibliography entries writes to bypass server policy
 
 ## Server
 The server runs inside a Docker container and works on a Git-versioned bibliography file outside the container. 
diff --git a/client.py b/client.py
@@ -145,6 +145,19 @@ def resolve_duplicate():
             return "i"
     return None
 
+def resolve_policy_reject():
+    print("Your options are")
+    print("  force entry write to the server (F)")
+    print("  ignore, do not apply any changes (I)")
+    print("  abort without changes (A)")
+    while True:
+        action = input("Your choice [f/I/a]: ").lower()
+        if action == "f" or action == "i" or action == "a":
+            return action
+        if not action or action == "":
+            return "i"
+    return None
+
 
 def update_local_bib(key, new_entry):
     for (idx, entry) in enumerate(bib_database.entries):
@@ -158,8 +171,12 @@ def update_remote_bib(key, new_entry):
     if "success" in response.json() and not response.json()["success"]:
         show_error(response.json())
 
-def add_remote_bib(key, entry):
-    response = requests.post(server + "entry/%s" % key, json = {"entry": entry, "token": token})
+def add_remote_bib(key, entry, force=False):
+    if force:
+        # do not rely on boolean encoding of `force`
+        response = requests.post(server + "entry/%s" % key, json = {"entry": entry, "token": token, "force": "true"})
+    else:
+        response = requests.post(server + "entry/%s" % key, json = {"entry": entry, "token": token})
     if "success" in response.json() and not response.json()["success"]:
         show_error(response.json())
 
@@ -270,7 +287,18 @@ def show_error(obj):
         response = requests.post(server + "update", json = {"entries": bib_database.entries, "token": token})
         result = response.json()
         if not result["success"]:
-            if result["reason"] == "duplicate":
+            if result["reason"] == "policy":
+                #print(result["entries"])
+                for entry in result["entries"]:
+                    print("\n[!] Server policy rejected entry %s. Reason: %s" % (entry["ID"], entry["reason"]))
+                    action = resolve_policy_reject()
+                    if action == "i":
+                        pass
+                    elif action == "a":
+                        sys.exit(1)
+                    elif action == "f":
+                        add_remote_bib(entry["ID"], entry_by_key(entry["ID"]), force=True)
+            elif result["reason"] == "duplicate":
                 #print(result["entries"])
                 for dup in result["entries"]:
                     print("\n[!] There is already a similar entry for %s on the server (%s) [Levenshtein %d]" % (dup[1], dup[2]["ID"], dup[0]))
diff --git a/server.py b/server.py
@@ -216,6 +216,11 @@ def add_entry(key):
     ok, reason = check_token(request.json["token"], "write")
     if not ok:
         return jsonify(reason)
+    # check if the client is forcing the server policy
+    if "force" in request.json:
+        ok, reason = check_token(request.json["token"], "force")
+        if not ok:
+            return jsonify(reason)
 
     if "ID" not in request.json["entry"]:
         request.json["entry"]["ID"] = key
@@ -224,7 +229,7 @@ def add_entry(key):
     if existing:
         return jsonify({"success": False, "reason": "exists", "entry": existing})
 
-    if policy:
+    if policy and "force" not in request.json:
         accept, reason = policy.check(request.json["entry"], bib_database.entries)
         if not accept:
             entry = request.json["entry"]
@@ -276,6 +281,11 @@ def add_entries():
     ok, reason = check_token(request.json["token"], "write")
     if not ok:
         return jsonify(reason)
+    # check if the client is forcing the server policy
+    if "force" in request.json:
+        ok, reason = check_token(request.json["token"], "force")
+        if not ok:
+            return jsonify(reason)
 
     dups = []
     changes = False
@@ -290,7 +300,7 @@ def add_entries():
         if len(dup) == 0:
             # new entry, add
             if not entry_by_key(entry["ID"]):
-                if policy:
+                if policy and "force" not in request.json:
                     accept, reason = policy.check(entry, bib_database.entries)
                     if not accept:
                         entry["reason"] = reason
