Remove (hypothetical) side effects from GET calls #10664

UserProfiles always exist since #8022. 1ca5c32 removed some cruft guards for missing profiles. This removes the rest, which makes it more clear that these GETs do not have side-effects (and thus CSRF attack vectors).
archesproject · Oct 7, 2024 · 1f8da9a · 1f8da9a
1 parent 6989e7f
commit 1f8da9a
Show file tree

Hide file tree

Showing 4 changed files with 2 additions and 14 deletions.
diff --git a/arches/app/datatypes/datatypes.py b/arches/app/datatypes/datatypes.py
@@ -1263,8 +1263,6 @@ def post_tile_save(self, tile, nodeid, request):
             # this does not get called when saving data from the mobile app
             previously_saved_tile = models.TileModel.objects.filter(pk=tile.tileid)
             user = request.user
-            if hasattr(request.user, "userprofile") is not True:
-                models.UserProfile.objects.create(user=request.user)
             user_is_reviewer = user_is_resource_reviewer(request.user)
             current_tile_data = self.get_tile_data(tile)
             if previously_saved_tile.count() == 1:

diff --git a/arches/app/models/tile.py b/arches/app/models/tile.py
@@ -411,13 +411,6 @@ def get_tile_data(self, user_id=None):
 
         return data
 
-    def ensure_userprofile_exists(self, request):
-        try:
-            if hasattr(request.user, "userprofile") is not True:
-                models.UserProfile.objects.create(user=request.user)
-        except:
-            pass
-
     def datatype_post_save_actions(self, request=None):
         try:
             userid = str(request.user.id)
@@ -523,7 +516,6 @@ def save(self, *args, **kwargs):
             # We have to save the edit log record after calling save so that the
             # resource's displayname changes are avaliable
             user = {} if user is None else user
-            self.ensure_userprofile_exists(request)
             self.datatype_post_save_actions(request)
             self.__postSave(request, context=context)
             if creating_new_tile is True:

diff --git a/arches/app/views/api/__init__.py b/arches/app/views/api/__init__.py
@@ -195,8 +195,6 @@ def get(self, request):
             indent = int(indent)
         if isinstance(nodegroups, str):
             nodegroups = nodegroups.split(",")
-        if hasattr(request.user, "userprofile") is not True:
-            models.UserProfile.objects.create(user=request.user)
         viewable_nodegroups = request.user.userprofile.viewable_nodegroups
         nodegroups = [i for i in nodegroups if i in viewable_nodegroups]
         nodes = models.Node.objects.filter(
@@ -341,8 +339,6 @@ def get(self, request):
 
 class MVT(APIBase):
     def get(self, request, nodeid, zoom, x, y):
-        if hasattr(request.user, "userprofile") is not True:
-            models.UserProfile.objects.create(user=request.user)
         viewable_nodegroups = request.user.userprofile.viewable_nodegroups
         user = request.user
 

diff --git a/releases/8.0.0.md b/releases/8.0.0.md
@@ -45,6 +45,8 @@ JavaScript:
 
 - Following a deprecation in 7.6.0, the `-o install` argument to `manage.py packages` has been removed.
 
+- `ensure_userprofile_exists()` was removed from the `Tile` model.
+
 ### Upgrading Arches
 
 1. You must be upgraded to at least version   before proceeding. If you are on an earlier version, please refer to the upgrade process in the []()