Ensure enable-submissions Disabling Correctly Allows Bypassing (#22834)

2024-11-18 09:42:59 -05:00 · 2024-11-18 09:42:59 -05:00 · aa342d1cc1
--- a/src/olympia/addons/tests/test_views.py
+++ b/src/olympia/addons/tests/test_views.py
@ -953,6 +953,9 @@ class TestAddonViewSetCreate(UploadMixin, AddonViewSetCreateUpdateMixin, TestCas
        response = self.request()
        assert response.status_code == 503
        assert response.json() == expected
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self.request()
+        assert response.status_code != 503

    def test_invalid_upload(self):
        self.upload.update(valid=False)
@ -3530,6 +3533,9 @@ class TestVersionViewSetCreate(UploadMixin, VersionViewSetCreateUpdateMixin, Tes
        response = self.request()
        assert response.status_code == 503
        assert response.json() == expected
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self.request()
+        assert response.status_code != 503

    def test_basic_unlisted(self):
        response = self.client.post(
@ -7324,6 +7330,9 @@ class TestAddonPreviewViewSet(TestCase):
            'error': 'Add-on uploads are temporarily unavailable.',
            'reason': ':-(',
        }
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self.client.post(url)
+        assert response.status_code != 503

    def test_cannot_create_for_themes(self):
        self.client.login_api(self.user)
--- a/src/olympia/addons/views.py
+++ b/src/olympia/addons/views.py
@ -5,6 +5,7 @@ from django.db.models import F, Max, Prefetch
 from django.db.transaction import non_atomic_requests
 from django.shortcuts import redirect
 from django.utils.cache import patch_cache_control
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext

 from drf_yasg.utils import swagger_auto_schema
@ -399,7 +400,7 @@ class AddonViewSet(
            self.action = 'create'
            return self.create(request, *args, **kwargs)

-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
    @swagger_auto_schema(
        operation_description="""
            This endpoint allows a submission of an upload to create a new add-on
@ -637,7 +638,7 @@ class AddonVersionViewSet(
            queryset = queryset.transform(Version.transformer_license)
        return queryset

-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
    def create(self, request, *args, **kwargs):
        addon = self.get_addon_object()
        has_source = request.data.get('source')
@ -774,7 +775,7 @@ class AddonPreviewViewSet(
    def get_queryset(self):
        return self.get_addon_object().previews.all()

-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
    def create(self, request, *args, **kwargs):
        response = super().create(request, *args, **kwargs)
        return response
--- a/src/olympia/files/tests/test_views.py
+++ b/src/olympia/files/tests/test_views.py
@ -130,6 +130,9 @@ class TestFileUploadViewSet(TestCase):
        response = self._create_post()
        assert response.status_code == 503
        assert response.json() == expected
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self._create_post()
+        assert response.status_code != 503

    def test_not_authenticated(self):
        self.client.logout_api()
--- a/src/olympia/files/views.py
+++ b/src/olympia/files/views.py
@ -1,6 +1,7 @@
 from django import http, shortcuts
 from django.core.exceptions import PermissionDenied
 from django.utils.crypto import constant_time_compare
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext

 from rest_framework import exceptions, status
@ -73,7 +74,7 @@ class FileUploadViewSet(CreateModelMixin, ReadOnlyModelViewSet):
    def get_queryset(self):
        return super().get_queryset().filter(user=self.request.user)

-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
    def create(self, request):
        if 'upload' in request.FILES:
            filedata = request.FILES['upload']
--- a/src/olympia/signing/tests/test_views.py
+++ b/src/olympia/signing/tests/test_views.py
@ -140,6 +140,11 @@ class TestUploadVersion(BaseUploadVersionTestMixin, TestCase):
        response = self.request('PUT')
        assert response.status_code == 503
        assert response.json() == expected
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self.request('POST')
+        assert response.status_code != 503
+        response = self.request('PUT')
+        assert response.status_code != 503

    def test_addon_does_not_exist(self):
        guid = '@create-version'
--- a/src/olympia/signing/views.py
+++ b/src/olympia/signing/views.py
@ -1,6 +1,7 @@
 import functools

 from django import forms
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext

 from rest_framework import status
@ -83,7 +84,7 @@ class VersionView(APIView):
    permission_classes = [IsAuthenticated, IsSubmissionAllowedFor]
    throttle_classes = addon_submission_throttles

-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
    def post(self, request, *args, **kwargs):
        version_string = request.data.get('version', None)

@ -99,8 +100,8 @@ class VersionView(APIView):
        )
        return Response(serializer.data, status=status.HTTP_201_CREATED)

-    @require_submissions_enabled
    @with_addon(allow_missing=True)
+    @method_decorator(require_submissions_enabled)
    def put(self, request, addon, version_string, guid=None):
        try:
            file_upload, created = self.handle_upload(