From 1022466ce0979380a2c304e829ec7364dbd0e465 Mon Sep 17 00:00:00 2001 From: David LeBauer Date: Fri, 2 Nov 2018 09:11:20 -0700 Subject: [PATCH 01/17] Update .zenodo.json trying to fix errors w/ zenodo; 'metadata' level is not required --- .zenodo.json | 126 +++++++++++++++++++++++++-------------------------- 1 file changed, 62 insertions(+), 64 deletions(-) diff --git a/.zenodo.json b/.zenodo.json index 2c7a9cfb1..5461022f4 100644 --- a/.zenodo.json +++ b/.zenodo.json @@ -1,69 +1,67 @@ { - "metadata": { - "access_right": "open", - "creators": [{ - "affiliation": "University of Illinois", - "name": "Scott Rohde" - }, - { - "name": "Carl Crott" - }, - { - "affiliation": "University of Illinois", - "name": "David LeBauer" - }, - { - "name": "Patrick Mulrooney" - }, - { - "affiliation": "National Center for Supercomputing Applications", - "name": "Rob Kooper" - }, - { - "name": "Jeremy Kemball" - }, - { - "name": "Jimmy Chen" - }, - { - "name": "Andrew Shirk" - }, - { - "name": "Zhengqi Yang" - }, - { - "affiliation": "National Center for Supercomputing Applications", - "name": "Max Burnette" - }, - { - "name": "Haotian Jiang" - }, - { - "name": "Yilin Dong" - }, - { - "name": "Uday Saraf" - }, - { - "affiliation": "Boston University", - "name": "Michael Dietze" - }, - { - "name": "Chris Black" - } - ], - "language": "eng", - "license": { - "id": "NCSA" + "access_right": "open", + "creators": [{ + "affiliation": "University of Illinois", + "name": "Scott Rohde" }, - "references": [ - "LeBauer, D., Kooper, R., Mulrooney, P., Rohde, S., Wang, D., Long, S. P., & Dietze, M. C. (2018). BETYdb: a yield, trait, and ecosystem service database applied to second\u2010generation bioenergy feedstock production. GCB Bioenergy, 10(1), 61-71", - "LeBauer, David, Michael Dietze, Rob Kooper, Steven Long, Patrick Mulrooney, Gareth Scott Rohde, Dan Wang (2010). Biofuel Ecophysiological Traits and Yields Database (BETYdb), Energy Biosciences Institute, University of Illinois at Urbana-Champaign. doi:10.13012/J8H41PB9" - ], - "notes": "Development of BETYdb is supported by the National Science Foundation (ABI #1062547, ABI #1458021), the Department of Energy (ARPA-E awards #DE-AR0000594 and DE-AR0000598), and the Energy Biosciences Institute.", - "resource_type": { - "title": "Software", - "type": "software" + { + "name": "Carl Crott" + }, + { + "affiliation": "University of Illinois", + "name": "David LeBauer" + }, + { + "name": "Patrick Mulrooney" + }, + { + "affiliation": "National Center for Supercomputing Applications", + "name": "Rob Kooper" + }, + { + "name": "Jeremy Kemball" + }, + { + "name": "Jimmy Chen" + }, + { + "name": "Andrew Shirk" + }, + { + "name": "Zhengqi Yang" + }, + { + "affiliation": "National Center for Supercomputing Applications", + "name": "Max Burnette" + }, + { + "name": "Haotian Jiang" + }, + { + "name": "Yilin Dong" + }, + { + "name": "Uday Saraf" + }, + { + "affiliation": "Boston University", + "name": "Michael Dietze" + }, + { + "name": "Chris Black" } + ], + "language": "eng", + "license": { + "id": "NCSA" + }, + "references": [ + "LeBauer, D., Kooper, R., Mulrooney, P., Rohde, S., Wang, D., Long, S. P., & Dietze, M. C. (2018). BETYdb: a yield, trait, and ecosystem service database applied to second\u2010generation bioenergy feedstock production. GCB Bioenergy, 10(1), 61-71", + "LeBauer, David, Michael Dietze, Rob Kooper, Steven Long, Patrick Mulrooney, Gareth Scott Rohde, Dan Wang (2010). Biofuel Ecophysiological Traits and Yields Database (BETYdb), Energy Biosciences Institute, University of Illinois at Urbana-Champaign. doi:10.13012/J8H41PB9" + ], + "notes": "Development of BETYdb is supported by the National Science Foundation (ABI #1062547, ABI #1458021), the Department of Energy (ARPA-E awards #DE-AR0000594 and DE-AR0000598), and the Energy Biosciences Institute.", + "resource_type": { + "title": "Software", + "type": "software" } } From 64b9a5a2eeef66f470a1bb8ab1a92d2c1808ac75 Mon Sep 17 00:00:00 2001 From: David LeBauer Date: Fri, 2 Nov 2018 09:13:27 -0700 Subject: [PATCH 02/17] Update .zenodo.json --- .zenodo.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.zenodo.json b/.zenodo.json index 5461022f4..80a703a6f 100644 --- a/.zenodo.json +++ b/.zenodo.json @@ -8,7 +8,7 @@ "name": "Carl Crott" }, { - "affiliation": "University of Illinois", + "affiliation": "University of Arizona", "name": "David LeBauer" }, { From 032f1f09baf6ec0667d4a5acc7abc5516f760125 Mon Sep 17 00:00:00 2001 From: Scott Rohde Date: Fri, 9 Nov 2018 14:30:05 -0600 Subject: [PATCH 03/17] Comment revisions only. --- app/models/bulk_upload_data_set.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/app/models/bulk_upload_data_set.rb b/app/models/bulk_upload_data_set.rb index f1367c972..17a375a8d 100644 --- a/app/models/bulk_upload_data_set.rb +++ b/app/models/bulk_upload_data_set.rb @@ -1242,8 +1242,12 @@ def insert_data t.site_id = row['site_id'] # Modify each Trait class instance so that date strings are - # interpreted as being in the time zone of the trait site - # (or UTC, if the trait site time_zone column is null) + # interpreted as being in the time zone of the trait site (or UTC, if + # the trait site time_zone column is null). Note that in the Bulk + # Upload Wizard, the validation step will prevent reaching this code + # if a site without time zone is in the data file. But nothing + # prevents a site without time zone from being specified + # interactively. class < Date: Mon, 26 Nov 2018 15:23:10 -0600 Subject: [PATCH 04/17] Implement feature requested in Issue #605: allow key-less API access to public data. --- app/services/api_authentication_system.rb | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/app/services/api_authentication_system.rb b/app/services/api_authentication_system.rb index c044ee66c..b638f9c68 100644 --- a/app/services/api_authentication_system.rb +++ b/app/services/api_authentication_system.rb @@ -3,7 +3,11 @@ module ApiAuthenticationSystem # Override default access_denied action. def access_denied - @errors = "authentication failed" + if @errors + @errors = "authentication failed: " + @errors + else + @errors = "authentication failed" + end render status: 401 end @@ -19,4 +23,21 @@ def permissions(action_name, resource) end end + # Override "login_from_api_key" so that if no key is given or the given key is + # invalid, the user is logged in as the guest user. + def login_from_api_key + key = params[:key] + if key.nil? + u = User.find_by_login('guestuser') + else + u = User.find_by_apikey(params[:key]) || User.find_by_login('guestuser') + end + + if u.nil? + @errors = "You must either use a valid API key or set up the guest user account." + end + + return u + end + end From 1510660a69a98f3e8712d1a7fcce2a055ec09980 Mon Sep 17 00:00:00 2001 From: Scott Rohde Date: Tue, 27 Nov 2018 14:33:35 -0600 Subject: [PATCH 05/17] Consider an invalid API key an error rather than defaulting to the guest user account. --- app/services/api_authentication_system.rb | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/app/services/api_authentication_system.rb b/app/services/api_authentication_system.rb index b638f9c68..afe112cf1 100644 --- a/app/services/api_authentication_system.rb +++ b/app/services/api_authentication_system.rb @@ -1,3 +1,4 @@ +# coding: utf-8 module ApiAuthenticationSystem include AuthenticatedSystem @@ -28,13 +29,15 @@ def permissions(action_name, resource) def login_from_api_key key = params[:key] if key.nil? - u = User.find_by_login('guestuser') + u = User.find_by_login('guestuserx') + if u.nil? + @errors = "For key-less access to the API, you must set up the guest user account." + end else - u = User.find_by_apikey(params[:key]) || User.find_by_login('guestuser') - end - - if u.nil? - @errors = "You must either use a valid API key or set up the guest user account." + u = User.find_by_apikey(params[:key]) + if u.nil? + @errors = "Invalid API key. To access the API as a guest user, omit the “key” parameter." + end end return u From d0f8c053b9475ebf14d73fb92dfc21404f7a7b03 Mon Sep 17 00:00:00 2001 From: Scott Rohde Date: Tue, 27 Nov 2018 14:56:13 -0600 Subject: [PATCH 06/17] Fixed incorrect login string. Got rid of redundant use of params[:key]. --- app/services/api_authentication_system.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/services/api_authentication_system.rb b/app/services/api_authentication_system.rb index afe112cf1..a52974068 100644 --- a/app/services/api_authentication_system.rb +++ b/app/services/api_authentication_system.rb @@ -29,12 +29,12 @@ def permissions(action_name, resource) def login_from_api_key key = params[:key] if key.nil? - u = User.find_by_login('guestuserx') + u = User.find_by_login('guestuser') if u.nil? @errors = "For key-less access to the API, you must set up the guest user account." end else - u = User.find_by_apikey(params[:key]) + u = User.find_by_apikey(key) if u.nil? @errors = "Invalid API key. To access the API as a guest user, omit the “key” parameter." end From ca34ddbd6fb997908362ac397cca0be9c43de025 Mon Sep 17 00:00:00 2001 From: Scott Rohde Date: Tue, 27 Nov 2018 15:20:50 -0600 Subject: [PATCH 07/17] Add maps.js to the precompile list to fix issue 596. --- config/initializers/assets.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/initializers/assets.rb b/config/initializers/assets.rb index 0098a0d6a..0069c2990 100644 --- a/config/initializers/assets.rb +++ b/config/initializers/assets.rb @@ -17,6 +17,8 @@ lazy/feedback.js lazy/autocomplete.js lazy/bulk_upload.js + + mylibs/maps.js ) Rails.application.config.assets.paths << From 221b60828caee8099320ddc38dffd258a89d704e Mon Sep 17 00:00:00 2001 From: Scott Rohde Date: Thu, 29 Nov 2018 15:50:30 -0600 Subject: [PATCH 08/17] Added a "type" attribute to the "Show" and "All Records" buttons on the covariate editing pages to prevent the default "submit" action from being attempted. This fixes issue #585. Also removed an extraneous "Update" button. Make the "Show" page for covariates give a more user-friendly error message when the covariate lacks an association with a trait. --- app/controllers/covariates_controller.rb | 4 ++++ app/views/covariates/edit.html.erb | 7 ++----- app/views/covariates/show.html.erb | 2 ++ 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/app/controllers/covariates_controller.rb b/app/controllers/covariates_controller.rb index 7ef6845ec..f7132903a 100644 --- a/app/controllers/covariates_controller.rb +++ b/app/controllers/covariates_controller.rb @@ -31,6 +31,10 @@ def index def show @covariate = Covariate.find(params[:id]) + if @covariate.trait.nil? + flash[:error] = 'This covariated is not associated with a trait! Consider removing it.' + end + respond_to do |format| format.html # show.html.erb format.xml { render :xml => @covariate } diff --git a/app/views/covariates/edit.html.erb b/app/views/covariates/edit.html.erb index 66db0423a..ea46ea795 100644 --- a/app/views/covariates/edit.html.erb +++ b/app/views/covariates/edit.html.erb @@ -44,17 +44,14 @@ <%= f.label :statname %>
<%= f.select :statname, $statname_list %>

-

- <%= f.submit 'Update' %> -

<%= link_to( covariates_path ) do %> - + <% end %> <%= link_to( @covariate ) do %> - + <% end %>
diff --git a/app/views/covariates/show.html.erb b/app/views/covariates/show.html.erb index 245c535cb..fff881478 100644 --- a/app/views/covariates/show.html.erb +++ b/app/views/covariates/show.html.erb @@ -18,6 +18,7 @@
<%= @covariate.stat %>
Statname:
<%= @covariate.statname %>
+ <% if @covariate.trait %>
Associated Trait:
<%= link_to_if @covariate.trait, @covariate.trait, @covariate.trait %> @@ -32,6 +33,7 @@
<%= link_to_if @covariate.trait.specie, @covariate.trait.specie, @covariate.trait.specie %>
Citation:
<%= link_to_if @covariate.trait.citation, @covariate.trait.citation, @covariate.trait.citation %>
+ <% end %> From bbd42c9868aa37cb425f7cb4e6ebf01d3742806c Mon Sep 17 00:00:00 2001 From: David LeBauer Date: Thu, 29 Nov 2018 15:03:27 -0700 Subject: [PATCH 09/17] fix typo covariated --> covariate --- app/controllers/covariates_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/covariates_controller.rb b/app/controllers/covariates_controller.rb index f7132903a..def62fd3e 100644 --- a/app/controllers/covariates_controller.rb +++ b/app/controllers/covariates_controller.rb @@ -32,7 +32,7 @@ def show @covariate = Covariate.find(params[:id]) if @covariate.trait.nil? - flash[:error] = 'This covariated is not associated with a trait! Consider removing it.' + flash[:error] = 'This covariate is not associated with a trait! Consider removing it.' end respond_to do |format| From a093409f49f30a17f4478473091380a022a460d6 Mon Sep 17 00:00:00 2001 From: Scott Rohde Date: Mon, 3 Dec 2018 14:55:41 -0600 Subject: [PATCH 10/17] Include "script.js" code to enable the "close" button in alert divs. This fixes issue 611. --- app/assets/javascripts/application.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js index 66d868d2d..45837b6aa 100644 --- a/app/assets/javascripts/application.js +++ b/app/assets/javascripts/application.js @@ -17,5 +17,8 @@ // defines showHide //= require min +// enables close button in "alert" divs: +//= require script + //= require lazy/simple_search //= require lazy/application From c9769941529711e17b8f65a140a2c549b43a5aeb Mon Sep 17 00:00:00 2001 From: Rob Kooper Date: Fri, 11 Jan 2019 09:17:14 -0600 Subject: [PATCH 11/17] Fix to make sure dbfiles have valid filename --- CHANGELOG.md | 5 +++++ app/models/db_file.rb | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fac52fecf..56cb26fcf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ section for the next release. For more information about this file see also [Keep a Changelog](http://keepachangelog.com/) . +## Unreleased + +### Fixes + +- A fix for a critical vulnerability reported by Danny Rosseau at Carve Systems (www.carvesystems.com). ## [5.0.5] - 2018-10-23 diff --git a/app/models/db_file.rb b/app/models/db_file.rb index c76c2ef70..ef81aa81b 100644 --- a/app/models/db_file.rb +++ b/app/models/db_file.rb @@ -32,6 +32,11 @@ def setup(user_id, upload, args = nil) self[:created_user_id] = user_id self[:updated_user_id] = user_id if upload # Uploaded file + # check to see it is a valid filename + if upload.original_filename.match(/^[a-zA-Z0-9._\-]+$/).nil? + raise("Invalid filename \"#{upload.original_filename}\"") + end + self[:file_name] = upload.original_filename self[:md5] = Digest::MD5.file(upload.path).hexdigest From b474ace4c5dbc9e1acc39a0de10dad30c4d8c60e Mon Sep 17 00:00:00 2001 From: Rob Kooper Date: Fri, 11 Jan 2019 09:52:27 -0600 Subject: [PATCH 12/17] update CHANGELOG --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56cb26fcf..a4dbb572d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,11 @@ For more information about this file see also [Keep a Changelog](http://keepacha ### Fixes -- A fix for a critical vulnerability reported by Danny Rosseau at Carve Systems (www.carvesystems.com). +- #611 : could not close alerts +- #585 : Pressing "Show" on the Covariates Edit page attempts an update +- #621 : A fix for a critical vulnerability reported by Danny Rosseau at Carve Systems (www.carvesystems.com). +- #596 : Crop Model Maps links are broken +- #605 : Allow for keyless API access (using guestuser access) ## [5.0.5] - 2018-10-23 From b7774cf92daa31e6683719e6569baa40979f7461 Mon Sep 17 00:00:00 2001 From: David LeBauer Date: Fri, 11 Jan 2019 10:10:58 -0600 Subject: [PATCH 13/17] Update app/models/db_file.rb Co-Authored-By: robkooper --- app/models/db_file.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/db_file.rb b/app/models/db_file.rb index ef81aa81b..28ded1b88 100644 --- a/app/models/db_file.rb +++ b/app/models/db_file.rb @@ -34,7 +34,7 @@ def setup(user_id, upload, args = nil) if upload # Uploaded file # check to see it is a valid filename if upload.original_filename.match(/^[a-zA-Z0-9._\-]+$/).nil? - raise("Invalid filename \"#{upload.original_filename}\"") + raise("Invalid filename \"#{upload.original_filename}\"; filenames can only contain letters, numbers, periods and dashes.") end self[:file_name] = upload.original_filename From c563c57d4516b99b94a176dac9f16d0d5161c0cc Mon Sep 17 00:00:00 2001 From: Scott Rohde Date: Fri, 11 Jan 2019 10:33:23 -0600 Subject: [PATCH 14/17] Fix for issue 618. --- app/controllers/search_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 3120cb3fb..dfd0b932d 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -155,7 +155,7 @@ def index end str = header + @results.to_comma - send_data str, type: Mime::CSV, + send_data str, type: :csv, disposition: "attachment; filename=search_results.csv" end format.json { render :json => @results } From 1455e064fd2b85762d49e0932ae016cb5fba6fbc Mon Sep 17 00:00:00 2001 From: David LeBauer Date: Fri, 11 Jan 2019 10:01:40 -0700 Subject: [PATCH 15/17] Update db_file.rb --- app/models/db_file.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/db_file.rb b/app/models/db_file.rb index 28ded1b88..6aac2ac38 100644 --- a/app/models/db_file.rb +++ b/app/models/db_file.rb @@ -34,7 +34,7 @@ def setup(user_id, upload, args = nil) if upload # Uploaded file # check to see it is a valid filename if upload.original_filename.match(/^[a-zA-Z0-9._\-]+$/).nil? - raise("Invalid filename \"#{upload.original_filename}\"; filenames can only contain letters, numbers, periods and dashes.") + raise("Invalid filename \"#{upload.original_filename}\"; filenames can only contain letters, numbers, periods, underscores, and dashes.") end self[:file_name] = upload.original_filename From 7035037310a9abb898ada1d05f49a00fb56aada3 Mon Sep 17 00:00:00 2001 From: Rob Kooper Date: Fri, 11 Jan 2019 12:42:40 -0600 Subject: [PATCH 16/17] Additional changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4dbb572d..f8f48f8d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ For more information about this file see also [Keep a Changelog](http://keepacha - #621 : A fix for a critical vulnerability reported by Danny Rosseau at Carve Systems (www.carvesystems.com). - #596 : Crop Model Maps links are broken - #605 : Allow for keyless API access (using guestuser access) +- #618 : Can not download results of search as csv ## [5.0.5] - 2018-10-23 From 7e6c58a9a7cb5b4d81e5d8a851a4cdd7483be502 Mon Sep 17 00:00:00 2001 From: Rob Kooper Date: Mon, 14 Jan 2019 13:54:26 -0600 Subject: [PATCH 17/17] Set release --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f8f48f8d1..c11865945 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ section for the next release. For more information about this file see also [Keep a Changelog](http://keepachangelog.com/) . -## Unreleased +## [5.1.0] - 2019-01-14 ### Fixes