Agh gsr booking (#365)

* Implement AGH GSR booking (still need accurate gsr_data and database migration)

* feat: update gsr_data with AGH gid, lid, rename LibCal credentials to GENERAL_LIBCAL_* for clarity

* fix(gsr): fix AGH booking security vulnerabilities and improve reliability

- Fix critical room authorization bypass in PennGroupsBookingWrapper
- Replace insecure substring matching with precise room number extraction
- Add HTTP status validation and consistent error messaging
- Extract helper methods to eliminate code duplication
- Map LibCal room names to PennGroups extensions correctly

* Fix flake8 linting errors in gsr_booking

Fixes whitespace, import ordering, line lengths, and other
style issues to ensure code passes pre-commit hooks.

* Fix remaining linting issues in gsr_booking

- Add missing newline, fix import ordering, clean whitespace

* Format gsr_booking with black and ruff

- Split long lines and apply consistent formatting

* feat: add SEAS booking support for Amy Gutmann Hall

Add migration 0013 to support SEAS user bookings:
- Add GroupMembership.is_seas field for SEAS affiliation tracking
- Add PENNGRP to GSR.kind choices for SEAS locations
- Update test expectations for AGH at position 2 in GSR data

* Fix PennGroups API error handling in get_authorized_rooms

    Raise APIError on connection/API failures instead of returning None.
    Only return {} for SUBJECT_NOT_FOUND (not SEAS). Distinguishes API
    errors from user eligibility.

* feat: adding gsr booking api credentials to base.py, modify add_pennlabs_users to include seas in zip

* feat: Add SEAS status checking and improve API error handling

- Integrate PennGroups API for SEAS membership verification
- Add is_seas field and AGH room authorization checks
- Standardize error handling: both is_wharton() and is_seas() now raise APIError
- Add graceful fallbacks in model layer (check_wharton/check_seas)
- Update tests with proper mocking for all API calls

* feat: Implement GSR filtering by membership and fix test mocking

- Add dynamic GSR filtering in Locations view based on Wharton/SEAS status
- Penn Labs members see all GSRs (administrative override)
- Fix test mock decorator conflicts by moving to method-level
- Add comprehensive test coverage for location filtering (7 new tests)
- Add mock JSON files for PennGroups API responses
- Add graceful error handling for API failures

All 67 GSR booking tests pass. Backward compatible.

* fix: Use response data directly in location filtering tests

Fix CI test failures by reading  field from response data
instead of looking up GSRs by ID. This makes tests more robust
and environment-independent.

All tests now use  directly from the response
instead of , avoiding DoesNotExist
errors when GSR IDs differ between local and CI environments.

* fix test_get_location_penn_labs_member and test github actions gsr loading

* include gsr count in assert message to debug gsr counts in github actions

* feat(gsr): improve PennGroups/AGH GSR booking tests

- Fix deprecated assertEquals -> assertEqual
- Add 7 new comprehensive tests for PennGroups/AGH functionality
- Fix test_unauthorized_room_booking_fails mock
- Add missing ConnectTimeout import

* add clear cache to locations tests to hopefully fix ci/cd testing?

* fix(gsr): implement per-permission-level caching for locations endpoint

* fix: add back accidentally deleted task, slightly improve test documentation

* Fix PennGroups API to use pennid and add local dev support

- Update get_authorized_rooms to use pennid instead of username for PennGroups API calls
- Add get_user_pennid helper to extract pennid from Platform API
- Add bearer token fallback in get_user_info for local development when IPC fails
- Update tests to mock get_user_pennid method
- Add .env file with local development credentials

* fix(gsr): handle LibCal space/item API returning list

* fix: resolve merge conflicts with main in gsr_booking.

* fix(gsr): correctly match both numeric and alphanumeric room identifiers.

* refactor(gsr): simplify permission check error handling and add logging

  - Add logging to is_wharton() and is_seas() to track API failures
  - Return False instead of raising errors for failed permission checks
  - Remove need for try/except boilerplate from views, models, and commands

Author: darrentweng

backend/gsr_booking/api_wrapper.py

@@ -1,5 +1,6 @@
 LID,GID,NAME,SERVICE
 JMHH,1,Huntsman,wharton
+20157,42437,Amy Gutmann Hall,penngroups
 ARB,6,Academic Research,wharton
 3620,6102,Albrecht Music Library,libcal
 2634,1914,Penn Museum Library,libcal

backend/gsr_booking/data/gsr_data.csv

@@ -1,7 +1,7 @@
 from django.contrib.auth import get_user_model
 from django.core.management.base import BaseCommand, CommandError
 
-from gsr_booking.api_wrapper import WhartonGSRBooker
+from gsr_booking.api_wrapper import PennGroupsGSRBooker, WhartonGSRBooker
 from gsr_booking.models import Group, GroupMembership
 
 
@@ -21,6 +21,7 @@ def handle(self, *args, **options):
 
         users = []
         wharton_statuses = []
+        seas_statuses = []
 
         input_count = int(input("How many users would you like to add? "))
         if input_count <= 0:
@@ -34,20 +35,30 @@ def handle(self, *args, **options):
             except User.DoesNotExist:
                 self.stdout.write(f"User with PennKey {pennkey} does not exist. Skipping.")
                 continue
+
             users.append(user)
             is_wharton = WhartonGSRBooker.is_wharton(user)
             wharton_statuses.append(is_wharton)
+            is_seas = PennGroupsGSRBooker.is_seas(user)
+            seas_statuses.append(is_seas)
 
         # confirm with the admin before proceeding
         self.stdout.write("The following users will be added to the Penn Labs group:")
-        for user, is_wharton in zip(users, wharton_statuses):
-            status = "Wharton" if is_wharton else "Regular"
+        for user, is_wharton, is_seas in zip(users, wharton_statuses, seas_statuses):
+            status_parts = []
+            if is_wharton:
+                status_parts.append("Wharton")
+            if is_seas:
+                status_parts.append("SEAS")
+            if not status_parts:
+                status_parts.append("Regular")
+            status = " + ".join(status_parts)
             self.stdout.write(f"- {user.username} ({status})")
         confirm = input("Type 'yes' to confirm and proceed: ").strip().lower()
         if confirm != "yes":
             self.stdout.write("Aborted.")
             return
-        for user, is_wharton in zip(users, wharton_statuses):
+        for user, is_wharton, is_seas in zip(users, wharton_statuses, seas_statuses):
             membership, created = GroupMembership.objects.get_or_create(
                 user=user,
                 group=group,
@@ -56,6 +67,7 @@ def handle(self, *args, **options):
                     "accepted": True,
                     "pennkey_allow": True,
                     "is_wharton": is_wharton,
+                    "is_seas": is_seas,
                 },
             )
             if not created:
@@ -64,6 +76,7 @@ def handle(self, *args, **options):
                 membership.accepted = True
                 membership.pennkey_allow = True
                 membership.is_wharton = is_wharton
+                membership.is_seas = is_seas
                 membership.save()
                 self.stdout.write(f"Updated existing membership for {user.username}")
             else:

backend/gsr_booking/management/commands/add_pennlabs_users.py

@@ -2,7 +2,7 @@
 
 from django.core.management.base import BaseCommand
 
-from gsr_booking.models import GSR
+from gsr_booking.models import GSR, clear_gsr_location_caches
 
 
 class Command(BaseCommand):
@@ -17,7 +17,17 @@ def handle(self, *args, **kwargs):
                 image_url = (
                     f"https://s3.us-east-2.amazonaws.com/labs.api/gsr/lid-{lid}-gid-{gid}.jpg"
                 )
-                kind = GSR.KIND_WHARTON if service == "wharton" else GSR.KIND_LIBCAL
-                GSR.objects.create(lid=lid, gid=gid, name=name, kind=kind, image_url=image_url)
+                kind = (
+                    GSR.KIND_PENNGROUPS
+                    if service == "penngroups"
+                    else GSR.KIND_WHARTON if service == "wharton" else GSR.KIND_LIBCAL
+                )
+                GSR.objects.update_or_create(
+                    lid=lid, gid=gid, defaults={"name": name, "kind": kind, "image_url": image_url}
+                )
+
+        # Note: Caches are automatically cleared by post_save signals on GSR model
+        # But we clear explicitly here as well for clarity and to handle edge cases
+        clear_gsr_location_caches()
 
-        self.stdout.write("Uploaded GSRs!")
+        self.stdout.write("Uploaded GSRs and cleared location caches!")

backend/gsr_booking/management/commands/load_gsrs.py

@@ -0,0 +1,29 @@
+from django.contrib.auth import get_user_model
+from django.core.management.base import BaseCommand
+
+from gsr_booking.api_wrapper import PennGroupsBookingWrapper
+from gsr_booking.models import GroupMembership
+
+
+class Command(BaseCommand):
+    help = "Updates SEAS status for all users."
+
+    def handle(self, *args, **kwargs):
+        users = GroupMembership.objects.values_list("user__username", flat=True).distinct()
+        print(f"Checking {len(users)} users...")
+        penngroups_wrapper = PennGroupsBookingWrapper()
+        updated = 0
+
+        for username in users:
+            user = get_user_model().objects.get(username=username)
+            is_seas = penngroups_wrapper.is_seas(user)
+            memberships = GroupMembership.objects.filter(user__username=user)
+            for membership in memberships:
+                if membership.is_seas != is_seas:
+                    membership.is_seas = is_seas
+                    membership.save()
+                    status = "now" if is_seas else "no longer"
+                    print(f"User {user} is {status} a SEAS user.")
+                    updated += 1
+
+        print(f"Done updating SEAS statuses. Updated: {updated} users.")

backend/gsr_booking/management/commands/update_seas_status.py

@@ -6,19 +6,24 @@
 
 
 class Command(BaseCommand):
-    help = "Updates Wharton privelige status for all users."
+    help = "Updates Wharton privilege status for all users."
 
     def handle(self, *args, **kwargs):
         users = GroupMembership.objects.values_list("user__username", flat=True).distinct()
         print(f"Checking {len(users)} users...")
+        wharton_wrapper = WhartonBookingWrapper()
+        updated = 0
+
         for username in users:
             user = get_user_model().objects.get(username=username)
-            is_wharton = WhartonBookingWrapper().is_wharton(user)
+            is_wharton = wharton_wrapper.is_wharton(user)
             memberships = GroupMembership.objects.filter(user__username=user)
             for membership in memberships:
                 if membership.is_wharton != is_wharton:
                     membership.is_wharton = is_wharton
                     membership.save()
                     status = "now" if is_wharton else "no longer"
                     print(f"User {user} is {status} a Wharton user.")
-        print("Done updating Wharton statuses.")
+                    updated += 1
+
+        print(f"Done updating Wharton statuses. Updated: {updated} users.")

backend/gsr_booking/management/commands/update_wharton_status.py

@@ -0,0 +1,27 @@
+# Generated by Django 5.0.2 on 2025-10-26 18:09
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("gsr_booking", "0012_gsr_in_use"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="groupmembership",
+            name="is_seas",
+            field=models.BooleanField(blank=True, default=None, null=True),
+        ),
+        migrations.AlterField(
+            model_name="gsr",
+            name="kind",
+            field=models.CharField(
+                choices=[("WHARTON", "Wharton"), ("LIBCAL", "Libcal"), ("PENNGRP", "Penngrp")],
+                default="LIBCAL",
+                max_length=7,
+            ),
+        ),
+    ]

backend/gsr_booking/migrations/0013_groupmembership_is_seas_alter_gsr_kind.py

@@ -0,0 +1,13 @@
+# Generated by Django 5.0.2 on 2025-12-07 19:29
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("gsr_booking", "0013_groupmembership_is_seas_alter_gsr_kind"),
+        ("gsr_booking", "0013_gsrsharecode"),
+    ]
+
+    operations = []

backend/gsr_booking/migrations/0014_merge_20251207_1429.py

@@ -1,7 +1,10 @@
 import secrets
 
 from django.contrib.auth import get_user_model
+from django.core.cache import cache
 from django.db import models
+from django.db.models.signals import post_delete, post_save
+from django.dispatch import receiver
 from django.utils import timezone
 
 
@@ -30,6 +33,8 @@ class GroupMembership(models.Model):
 
     is_wharton = models.BooleanField(blank=True, null=True, default=None)
 
+    is_seas = models.BooleanField(blank=True, null=True, default=None)
+
     @property
     def is_invite(self):
         return not self.accepted
@@ -38,14 +43,20 @@ def __str__(self):
         return f"{self.user}<->{self.group}"
 
     def save(self, *args, **kwargs):
-        # determines whether user is wharton or not
+        # Determines whether user is wharton or not
         if self.is_wharton is None:
             self.is_wharton = self.check_wharton()
+        # Determines whether user is seas or not
+        if self.is_seas is None:
+            self.is_seas = self.check_seas()
         super().save(*args, **kwargs)
 
     def check_wharton(self):
         return WhartonGSRBooker.is_wharton(self.user)
 
+    def check_seas(self):
+        return PennGroupsGSRBooker.is_seas(self.user)
+
     class Meta:
         verbose_name = "Group Membership"
 
@@ -95,7 +106,12 @@ class GSR(models.Model):
 
     KIND_WHARTON = "WHARTON"
     KIND_LIBCAL = "LIBCAL"
-    KIND_OPTIONS = ((KIND_WHARTON, "Wharton"), (KIND_LIBCAL, "Libcal"))
+    KIND_PENNGROUPS = "PENNGRP"
+    KIND_OPTIONS = (
+        (KIND_WHARTON, "Wharton"),
+        (KIND_LIBCAL, "Libcal"),
+        (KIND_PENNGROUPS, "Penngrp"),
+    )
 
     kind = models.CharField(max_length=7, choices=KIND_OPTIONS, default=KIND_LIBCAL)
     lid = models.CharField(max_length=255)
@@ -163,4 +179,30 @@ def is_valid(self):
 
 
 # import at end to prevent circular dependency
-from gsr_booking.api_wrapper import WhartonGSRBooker  # noqa: E402
+from gsr_booking.api_wrapper import PennGroupsGSRBooker, WhartonGSRBooker  # noqa: E402
+
+
+# Signal handlers to clear location caches when GSR data changes
+def clear_gsr_location_caches():
+    """Clear all GSR location caches for all permission combinations"""
+    cache_keys = [
+        "gsr_locations:penn_labs",
+        "gsr_locations:wharton_True_seas_True",
+        "gsr_locations:wharton_True_seas_False",
+        "gsr_locations:wharton_False_seas_True",
+        "gsr_locations:wharton_False_seas_False",
+    ]
+    for key in cache_keys:
+        cache.delete(key)
+
+
+@receiver(post_save, sender=GSR)
+def clear_cache_on_gsr_save(sender, instance, **kwargs):
+    """Clear location caches when a GSR is saved (via admin or any other method)"""
+    clear_gsr_location_caches()
+
+
+@receiver(post_delete, sender=GSR)
+def clear_cache_on_gsr_delete(sender, instance, **kwargs):
+    """Clear location caches when a GSR is deleted (via admin or any other method)"""
+    clear_gsr_location_caches()

backend/gsr_booking/models.py

@@ -1,11 +1,11 @@
 from django.urls import include, path
-from django.views.decorators.cache import cache_page
 from rest_framework import routers
 
 from gsr_booking.views import (
     Availability,
     BookRoom,
     CancelRoom,
+    CheckSEAS,
     CheckWharton,
     GroupMembershipViewSet,
     GroupViewSet,
@@ -15,7 +15,6 @@
     RecentGSRs,
     ReservationsView,
 )
-from utils.cache import Cache
 
 
 router = routers.DefaultRouter()
@@ -27,9 +26,10 @@
 
 urlpatterns = [
     path("", include(router.urls)),
-    path("locations/", cache_page(Cache.MONTH)(Locations.as_view()), name="locations"),
+    path("locations/", Locations.as_view(), name="locations"),
     path("recent/", RecentGSRs.as_view(), name="recent-gsrs"),
     path("wharton/", CheckWharton.as_view(), name="is-wharton"),
+    path("seas/", CheckSEAS.as_view(), name="is-seas"),
     path("availability/<lid>/<gid>", Availability.as_view(), name="availability"),
     path("book/", BookRoom.as_view(), name="book"),
     path("cancel/", CancelRoom.as_view(), name="cancel"),