Skip to content

Commit

Permalink
Restrict MultiPartParser to endpoints where it's actually useful
Browse files Browse the repository at this point in the history
  • Loading branch information
@SpecLad
SpecLad committed Mar 16, 2023
1 parent 66591a1 commit 56c99da
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 7 deletions.
18 changes: 12 additions & 6 deletions cvat/apps/engine/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,10 @@
from rest_framework import mixins, serializers, status, viewsets
from rest_framework.decorators import action
from rest_framework.exceptions import APIException, NotFound, ValidationError, PermissionDenied
from rest_framework.parsers import MultiPartParser
from rest_framework.permissions import SAFE_METHODS
from rest_framework.response import Response
from rest_framework.settings import api_settings
from django_sendfile import sendfile

import cvat.apps.dataset_manager as dm
Expand Down Expand Up @@ -79,6 +81,8 @@
from cvat.apps.engine.cache import MediaCache
from cvat.apps.events.handlers import handle_annotations_patch

_UPLOAD_PARSER_CLASSES = api_settings.DEFAULT_PARSER_CLASSES + [MultiPartParser]

@extend_schema(tags=['server'])
class ServerViewSet(viewsets.ViewSet):
serializer_class = None
Expand Down Expand Up @@ -307,7 +311,7 @@ def perform_create(self, serializer, **kwargs):
'405': OpenApiResponse(description='Format is not available'),
})
@action(detail=True, methods=['GET', 'POST', 'OPTIONS'], serializer_class=None,
url_path=r'dataset/?$')
url_path=r'dataset/?$', parser_classes=[MultiPartParser])
def dataset(self, request, pk):
self._object = self.get_object() # force call of check_object_permissions()
rq_id = f"import:dataset-for-project.id{pk}-by-{request.user}"
Expand Down Expand Up @@ -501,7 +505,7 @@ def export_backup(self, request, pk=None):
'202': OpenApiResponse(description='Importing a backup file has been started'),
})
@action(detail=False, methods=['OPTIONS', 'POST'], url_path=r'backup/?$',
serializer_class=ProjectFileSerializer(required=False))
serializer_class=ProjectFileSerializer(required=False), parser_classes=[MultiPartParser])
def import_backup(self, request, pk=None):
return self.deserialize(request, backup.import_project)

Expand Down Expand Up @@ -733,7 +737,8 @@ def get_queryset(self):
'201': OpenApiResponse(description='The task has been imported'), # or better specify {id: task_id}
'202': OpenApiResponse(description='Importing a backup file has been started'),
})
@action(detail=False, methods=['OPTIONS', 'POST'], url_path=r'backup/?$', serializer_class=TaskFileSerializer(required=False))
@action(detail=False, methods=['OPTIONS', 'POST'], url_path=r'backup/?$',
serializer_class=TaskFileSerializer(required=False), parser_classes=[MultiPartParser])
def import_backup(self, request, pk=None):
return self.deserialize(request, backup.import_task)

Expand Down Expand Up @@ -912,7 +917,8 @@ def upload_finished(self, request):
responses={
'200': OpenApiResponse(description='Data of a specific type'),
})
@action(detail=True, methods=['OPTIONS', 'POST', 'GET'], url_path=r'data/?$')
@action(detail=True, methods=['OPTIONS', 'POST', 'GET'], url_path=r'data/?$',
parser_classes=_UPLOAD_PARSER_CLASSES)
def data(self, request, pk):
self._object = self.get_object() # call check_object_permissions as well
if request.method == 'POST' or request.method == 'OPTIONS':
Expand Down Expand Up @@ -1036,7 +1042,7 @@ def append_data_chunk(self, request, pk, file_id):
'204': OpenApiResponse(description='The annotation has been deleted'),
})
@action(detail=True, methods=['GET', 'DELETE', 'PUT', 'PATCH', 'POST', 'OPTIONS'], url_path=r'annotations/?$',
serializer_class=None)
serializer_class=None, parser_classes=_UPLOAD_PARSER_CLASSES)
def annotations(self, request, pk):
self._object = self.get_object() # force call of check_object_permissions()
if request.method == 'GET':
Expand Down Expand Up @@ -1433,7 +1439,7 @@ def upload_finished(self, request):
'204': OpenApiResponse(description='The annotation has been deleted'),
})
@action(detail=True, methods=['GET', 'DELETE', 'PUT', 'PATCH', 'POST', 'OPTIONS'], url_path=r'annotations/?$',
serializer_class=LabeledDataSerializer)
serializer_class=LabeledDataSerializer, parser_classes=_UPLOAD_PARSER_CLASSES)
def annotations(self, request, pk):
self._object = self.get_object() # force call of check_object_permissions()
if request.method == 'GET':
Expand Down
1 change: 0 additions & 1 deletion cvat/settings/base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,6 @@ def add_ssh_keys():
REST_FRAMEWORK = {
'DEFAULT_PARSER_CLASSES': [
'rest_framework.parsers.JSONParser',
'rest_framework.parsers.MultiPartParser',
],
'DEFAULT_RENDERER_CLASSES': [
'cvat.apps.engine.renderers.CVATAPIRenderer',
Expand Down

0 comments on commit 56c99da

Please sign in to comment.