bento-platform · v-rocheleau · Apr 1, 2025 · Apr 1, 2025 · Apr 3, 2025 · Apr 4, 2025
diff --git a/chord_metadata_service/chord/api_views.py b/chord_metadata_service/chord/api_views.py
@@ -9,6 +9,8 @@
     P_CREATE_DATASET,
     P_EDIT_DATASET,
     P_DELETE_DATASET,
+    P_VIEW_PROJECTS,
+    P_VIEW_DATASETS,
 )
 from bento_lib.auth.resources import RESOURCE_EVERYTHING, build_resource
 from bento_lib.responses import errors
@@ -25,6 +27,7 @@
 from chord_metadata_service.authz.middleware import authz_middleware as authz
 from chord_metadata_service.authz.permissions import BentoAllowAnyReadOnly, BentoDeferToHandler
 from chord_metadata_service.cleanup.run_all import run_all_cleanup
+from chord_metadata_service.metadata.settings import KATSU_DATASETS_LIST_AUTHZ, KATSU_PROJECTS_LIST_AUTHZ
 from chord_metadata_service.resources.serializers import ResourceSerializer
 from chord_metadata_service.restapi.api_renderers import PhenopacketsRenderer, JSONLDDatasetRenderer, RDFDatasetRenderer
 from chord_metadata_service.restapi.pagination import LargeResultsSetPagination
@@ -76,7 +79,7 @@ class ProjectViewSet(CHORDPublicModelViewSet):
     Create a new project
     """
 
-    queryset = Project.objects.all().order_by("identifier")
+    queryset = Project.objects.all().order_by("title")
     serializer_class = ProjectSerializer
 
     @async_to_sync
@@ -117,6 +120,15 @@ async def destroy(self, request, *args, **kwargs):
         authz.mark_authz_done(request)
         return await sync_to_async(super().destroy)(request, *args, **kwargs)
 
+    @async_to_sync
+    async def list(self, request, *args, **kwargs):
+        if KATSU_PROJECTS_LIST_AUTHZ and not (
+            await authz.async_evaluate_one(request, RESOURCE_EVERYTHING, P_VIEW_PROJECTS)
+        ):
+            return forbidden(request)
+        authz.mark_authz_done(request)
+        return await sync_to_async(super().list)(request, *args, **kwargs)
+
 
 class DatasetViewSet(CHORDPublicModelViewSet):
     """
@@ -164,10 +176,15 @@ def resources(self, request, *_args, **_kwargs):
         authz.mark_authz_done(request)
         return Response(ResourceSerializer(dataset.resources.all(), many=True).data)
 
-    def list(self, request, *args, **kwargs):
-        # For now, we don't have a view:dataset type permission - we can always view
+    @async_to_sync
+    async def list(self, request, *args, **kwargs):
+
+        if KATSU_DATASETS_LIST_AUTHZ and not (
+            await authz.async_evaluate_one(request, RESOURCE_EVERYTHING, P_VIEW_DATASETS, require_token=True)
+        ):
+            return forbidden(request)
         authz.mark_authz_done(request)
-        return super().list(request, *args, **kwargs)
+        return await sync_to_async(super().list)(request, *args, **kwargs)
 
     @async_to_sync
     async def destroy(self, request, *args, **kwargs):

diff --git a/chord_metadata_service/discovery/api_views.py b/chord_metadata_service/discovery/api_views.py
@@ -2,6 +2,8 @@
 
 from adrf.decorators import api_view
 from bento_lib.responses import errors
+from bento_lib.auth.permissions import P_VIEW_PROJECTS
+from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
 from functools import partial
 from operator import is_not
@@ -11,8 +13,10 @@
 from rest_framework.response import Response
 from typing import Type
 
-from chord_metadata_service.authz.permissions import BentoAllowAny
+from chord_metadata_service.authz.middleware import authz_middleware as authz
+from chord_metadata_service.authz.permissions import BentoAllowAny, BentoDeferToHandler
 from chord_metadata_service.chord import data_types as dts
+from chord_metadata_service.chord.api_views import forbidden
 from chord_metadata_service.logger import logger
 
 from . import responses as dres
@@ -112,7 +116,7 @@ async def _get_section_response(section) -> dict | None:
     }
 )
 @api_view(["GET"])
-@permission_classes([BentoAllowAny])
+@permission_classes([BentoDeferToHandler])
 async def public_overview(request: DrfRequest):
     """
     get:
@@ -126,6 +130,12 @@ async def public_overview(request: DrfRequest):
 
     discovery = discovery_scope.discovery
 
+    if settings.KATSU_PROJECTS_LIST_AUTHZ and not (
+        await authz.async_evaluate_one(request, discovery_scope.as_authz_resource(), P_VIEW_PROJECTS)
+    ):
+        return forbidden(request)
+    authz.mark_authz_done(request)
+
     if not discovery:
         return Response(dres.NO_PUBLIC_DATA_AVAILABLE, status=status.HTTP_404_NOT_FOUND)
 

diff --git a/chord_metadata_service/discovery/schemas.py b/chord_metadata_service/discovery/schemas.py
@@ -56,7 +56,7 @@
     "type": "object",
     "properties": {
         "field": base_type(SchemaTypes.STRING),
-        "chart_type": enum_of(["bar", "pie"])
+        "chart_type": enum_of(["bar", "pie", "histogram"])
     },
     "additionalProperties": False
 }

diff --git a/chord_metadata_service/metadata/settings.py b/chord_metadata_service/metadata/settings.py
@@ -59,6 +59,12 @@
 BENTO_AUTHZ_SERVICE_URL: str = (
     os.environ.get("BENTO_AUTHZ_SERVICE_URL", "http://authz.local").strip().rstrip("/") if BENTO_AUTHZ_ENABLED else ""
 )
+
+# Users querying /projects must have P_VIEW_PROJECTS at the node level
+KATSU_PROJECTS_LIST_AUTHZ: bool = os.environ.get("KATSU_PROJECTS_LIST_AUTHZ", "false").strip().lower() == "true"
+# Users querying /datasets must have P_VIEW_DATASETS at the node level
+KATSU_DATASETS_LIST_AUTHZ: bool = os.environ.get("KATSU_DATASETS_LIST_AUTHZ", "false").strip().lower() == "true"
+
 if len(sys.argv) > 1 and sys.argv[1] == "test":
     # Override BENTO_AUTHZ_SERVICE_URL for testing purposes inside container - this is a bit hacky
     BENTO_AUTHZ_SERVICE_URL = "http://authz.local"