Merge pull request #630 from PecanProject/develop

release 5.1.0

Author: dlebauer

.zenodo.json

@@ -1,69 +1,67 @@
 {
-	"metadata": {
-		"access_right": "open",
-		"creators": [{
-				"affiliation": "University of Illinois",
-				"name": "Scott Rohde"
-			},
-			{
-				"name": "Carl Crott"
-			},
-			{
-				"affiliation": "University of Illinois",
-				"name": "David LeBauer"
-			},
-			{
-				"name": "Patrick Mulrooney"
-			},
-			{
-				"affiliation": "National Center for Supercomputing Applications",
-				"name": "Rob Kooper"
-			},
-			{
-				"name": "Jeremy Kemball"
-			},
-			{
-				"name": "Jimmy Chen"
-			},
-			{
-				"name": "Andrew Shirk"
-			},
-			{
-				"name": "Zhengqi Yang"
-			},
-			{
-				"affiliation": "National Center for Supercomputing Applications",
-				"name": "Max Burnette"
-			},
-			{
-				"name": "Haotian Jiang"
-			},
-			{
-				"name": "Yilin Dong"
-			},
-			{
-				"name": "Uday Saraf"
-			},
-			{
-				"affiliation": "Boston University",
-				"name": "Michael Dietze"
-			},
-			{
-				"name": "Chris Black"
-			}
-		],
-		"language": "eng",
-		"license": {
-			"id": "NCSA"
+	"access_right": "open",
+	"creators": [{
+			"affiliation": "University of Illinois",
+			"name": "Scott Rohde"
 		},
-		"references": [
-			"LeBauer, D., Kooper, R., Mulrooney, P., Rohde, S., Wang, D., Long, S. P., & Dietze, M. C. (2018). BETYdb: a yield, trait, and ecosystem service database applied to second\u2010generation bioenergy feedstock production. GCB Bioenergy, 10(1), 61-71",
-			"LeBauer, David, Michael Dietze, Rob Kooper, Steven Long, Patrick Mulrooney, Gareth Scott Rohde, Dan Wang (2010). Biofuel Ecophysiological Traits and Yields Database (BETYdb), Energy Biosciences Institute, University of Illinois at Urbana-Champaign. doi:10.13012/J8H41PB9"
-		],
-		"notes": "Development of BETYdb is supported by the National Science Foundation (ABI #1062547, ABI #1458021),  the Department of Energy (ARPA-E awards #DE-AR0000594 and DE-AR0000598), and the Energy Biosciences Institute.",
-		"resource_type": {
-			"title": "Software",
-			"type": "software"
+		{
+			"name": "Carl Crott"
+		},
+		{
+			"affiliation": "University of Arizona",
+			"name": "David LeBauer"
+		},
+		{
+			"name": "Patrick Mulrooney"
+		},
+		{
+			"affiliation": "National Center for Supercomputing Applications",
+			"name": "Rob Kooper"
+		},
+		{
+			"name": "Jeremy Kemball"
+		},
+		{
+			"name": "Jimmy Chen"
+		},
+		{
+			"name": "Andrew Shirk"
+		},
+		{
+			"name": "Zhengqi Yang"
+		},
+		{
+			"affiliation": "National Center for Supercomputing Applications",
+			"name": "Max Burnette"
+		},
+		{
+			"name": "Haotian Jiang"
+		},
+		{
+			"name": "Yilin Dong"
+		},
+		{
+			"name": "Uday Saraf"
+		},
+		{
+			"affiliation": "Boston University",
+			"name": "Michael Dietze"
+		},
+		{
+			"name": "Chris Black"
 		}
+	],
+	"language": "eng",
+	"license": {
+		"id": "NCSA"
+	},
+	"references": [
+		"LeBauer, D., Kooper, R., Mulrooney, P., Rohde, S., Wang, D., Long, S. P., & Dietze, M. C. (2018). BETYdb: a yield, trait, and ecosystem service database applied to second\u2010generation bioenergy feedstock production. GCB Bioenergy, 10(1), 61-71",
+		"LeBauer, David, Michael Dietze, Rob Kooper, Steven Long, Patrick Mulrooney, Gareth Scott Rohde, Dan Wang (2010). Biofuel Ecophysiological Traits and Yields Database (BETYdb), Energy Biosciences Institute, University of Illinois at Urbana-Champaign. doi:10.13012/J8H41PB9"
+	],
+	"notes": "Development of BETYdb is supported by the National Science Foundation (ABI #1062547, ABI #1458021),  the Department of Energy (ARPA-E awards #DE-AR0000594 and DE-AR0000598), and the Energy Biosciences Institute.",
+	"resource_type": {
+		"title": "Software",
+		"type": "software"
 	}
 }

CHANGELOG.md

@@ -5,6 +5,16 @@ section for the next release.
 
 For more information about this file see also [Keep a Changelog](http://keepachangelog.com/) .
 
+## [5.1.0] - 2019-01-14
+
+### Fixes
+
+- #611 : could not close alerts
+- #585 : Pressing "Show" on the Covariates Edit page attempts an update
+- #621 : A fix for a critical vulnerability reported by Danny Rosseau at Carve Systems (www.carvesystems.com).
+- #596 : Crop Model Maps links are broken
+- #605 : Allow for keyless API access (using guestuser access)
+- #618 : Can not download results of search as csv
 
 ## [5.0.5] - 2018-10-23
 

app/assets/javascripts/application.js

@@ -17,5 +17,8 @@
 // defines showHide
 //= require min
 
+// enables close button in "alert" divs:
+//= require script
+
 //= require lazy/simple_search
 //= require lazy/application

app/controllers/covariates_controller.rb

@@ -31,6 +31,10 @@ def index
   def show
     @covariate = Covariate.find(params[:id])
 
+    if @covariate.trait.nil?
+      flash[:error] = 'This covariate is not associated with a trait!  Consider removing it.'
+    end
+
     respond_to do |format|
       format.html # show.html.erb
       format.xml  { render :xml => @covariate }

app/controllers/search_controller.rb

@@ -155,7 +155,7 @@ def index
         end
 
         str = header + @results.to_comma
-        send_data str, type: Mime::CSV,
+        send_data str, type: :csv,
         disposition: "attachment; filename=search_results.csv"
       end
       format.json  { render :json => @results }

app/models/bulk_upload_data_set.rb

@@ -1242,8 +1242,12 @@ def insert_data
           t.site_id = row['site_id']
 
           # Modify each Trait class instance so that date strings are
-          # interpreted as being in the time zone of the trait site
-          # (or UTC, if the trait site time_zone column is null)
+          # interpreted as being in the time zone of the trait site (or UTC, if
+          # the trait site time_zone column is null).  Note that in the Bulk
+          # Upload Wizard, the validation step will prevent reaching this code
+          # if a site without time zone is in the data file.  But nothing
+          # prevents a site without time zone from being specified
+          # interactively.
           class <<t
             def date=(value)
               date = Time.use_zone(Site.find(site_id).time_zone || 'UTC') do
@@ -1971,8 +1975,8 @@ def get_insertion_data
       # dates are assumed always to be accurate to the day:
       csv_row_as_hash["dateloc"] = 5
 
-      # bulk upload doesn't handles "date only" dates and dates with time to the
-      # second; determine which:
+      # bulk upload handles "date only" dates and dates with time to the
+      # second and no other cases; determine which:
       if csv_row_as_hash["date"].length == 19
         csv_row_as_hash["timeloc"] = 1
       elsif csv_row_as_hash["date"].length == 10

app/models/db_file.rb

@@ -32,6 +32,11 @@ def setup(user_id, upload, args = nil)
     self[:created_user_id] = user_id
     self[:updated_user_id] = user_id
     if upload # Uploaded file
+      # check to see it is a valid filename
+      if upload.original_filename.match(/^[a-zA-Z0-9._\-]+$/).nil?
+        raise("Invalid filename \"#{upload.original_filename}\"; filenames can only contain letters, numbers, periods, underscores, and dashes.")
+      end
+
       self[:file_name] =  upload.original_filename
       self[:md5] = Digest::MD5.file(upload.path).hexdigest
 

app/services/api_authentication_system.rb

@@ -1,9 +1,14 @@
+# coding: utf-8
 module ApiAuthenticationSystem
   include AuthenticatedSystem
 
   # Override default access_denied action.
   def access_denied
-    @errors = "authentication failed"
+    if @errors
+      @errors = "authentication failed: " + @errors
+    else
+      @errors = "authentication failed"
+    end
     render status: 401
   end
 
@@ -19,4 +24,23 @@ def permissions(action_name, resource)
     end
   end
 
+  # Override "login_from_api_key" so that if no key is given or the given key is
+  # invalid, the user is logged in as the guest user.
+  def login_from_api_key
+    key = params[:key]
+    if key.nil?
+      u = User.find_by_login('guestuser')
+      if u.nil?
+        @errors = "For key-less access to the API, you must set up the guest user account."
+      end
+    else
+      u = User.find_by_apikey(key)
+      if u.nil?
+        @errors = "Invalid API key.  To access the API as a guest user, omit the “key” parameter."
+      end
+    end
+
+    return u
+  end
+
 end

app/views/covariates/edit.html.erb

@@ -44,17 +44,14 @@
           <%= f.label :statname %><br />
           <%= f.select :statname, $statname_list %>
         </p>
-        <p>
-          <%= f.submit 'Update' %>
-        </p>
 
         <div class="form-actions">
           <div class="button-group">
             <%= link_to( covariates_path ) do %>
-              <button class="button"><i class="icon-arrow-left"></i> All Records</button>
+              <button class="button" type="button"><i class="icon-arrow-left"></i> All Records</button>
             <% end %>
             <%= link_to( @covariate ) do %>
-              <button class="button">Show</button>
+              <button class="button" type="button">Show</button>
             <% end %>
           </div>
           <div class="button-group pull-right">

app/views/covariates/show.html.erb

@@ -18,6 +18,7 @@
     <dd><%= @covariate.stat %></dd>
     <dt>Statname:</dt>
     <dd><%= @covariate.statname %></dd>
+    <% if @covariate.trait %>
     <dt>Associated Trait:</dt>
     <dd>
       <%= link_to_if @covariate.trait, @covariate.trait, @covariate.trait %>
@@ -32,6 +33,7 @@
     <dd><%= link_to_if @covariate.trait.specie, @covariate.trait.specie, @covariate.trait.specie %></dd>
     <dt>Citation:</dt>
     <dd><%= link_to_if @covariate.trait.citation, @covariate.trait.citation, @covariate.trait.citation %></dd>
+    <% end %>
   </dl>
 
 

config/initializers/assets.rb

@@ -17,6 +17,8 @@
   lazy/feedback.js
   lazy/autocomplete.js
   lazy/bulk_upload.js
+
+  mylibs/maps.js
  )
 
 Rails.application.config.assets.paths <<