sachet-server/TODO.txt
2023-07-12 21:03:26 -04:00

262 lines
6.7 KiB
Plaintext

[ ]: not started
[-]: in progress
[x]: done
[!]: wontfix
[?]: maybe
[x] authentication
[x] /users/login POST
[x] /users/logout POST
[x] /users/extend POST
[x] permissions
[x] change the db schema
[x] use a library for serializing classes
[x] permissions are:
- create file
- modify any file
- delete any file
- lock/unlock any file
no modification, no deletion
- list all files
- admin
doesn't imply other privileges directly,
but means you can set them to yourself
[x] /users/<user> GET
this endpoint will now contain permission data too
[x] /users/<user> PATCH
[x] /users/<user> PUT
we'll use these to set permissions
[x] make the "generic model api"
endpoints like /users/<id> and /admin/settings
that directly get/set models will inherit from this class
any authentication/permission logic belongs to the children class
[x] make schemas members of their parent models
[x] settings endpoint
[x] initialize settings to defaults
[x] tests
[x] /admin/settings GET
[x] /admin/settings PATCH
[x] /admin/settings PUT
settings will set the default non-authenticated user's permissions
[x] linter
[x] file management backend
we want to abstract away the filesystem
[x] write todos for this entry
read, write, list
but how are we going to implement metadata and stuff?
are we going to use UUIDs?
hashing?
[x] create the module sachet.storage
[x] class Storage
generic storage
- get handle to file
- list files
[x] class File
- delete file
- r/w file
- read metadata
- write metadata
- rename file
our "real" classes will inherit from the Storage interface
and they will replace all the methods (and the File class)
[x] class FileSystem
just hook up python's os filesystem to FileSystem
[x] rewrite tests
[x] class File
- create file and its associated metadata file
- delete file
- r/w file
- read metadata
- write metadata
- rename file
[x] file sharing
[x] Share model
[x] docstring
[x] auth_required: require certain permissions
metadata
[x] /files POST
client will post metadata as json
returns a 201 and set Location header to the created entry
depends on create file permission
[x] /files/<file> PUT
metadata update
[x] /files/<file> PATCH
metadata update
[x] /files/<file> GET
metadata get
[x] /files/<file> DELETE
deletes file
files
[x] /files/<file>/content POST
uploads file
[x] /files/<file>/content PUT
modifies file
[x] /files/<file>/content GET
downloads file, depends on read permission
[x] debugging
[x] testing
[x] metadata
[x] implement a filename for Share
[x] test filename
[x] test modification
[x] implement listing files
[x] split POST off ModelClass
one class will be for editing models themselves
other class, ModelListClass
POST creates a new Model
GET lists all models (paginated)
[x] implement ModelListClass GET (pagination!)
[x] implement anonymous permissions
[x] test adversarial conditions
[x] fix that one bug where sending a non-int page number causes 500
[x] write a test case to prevent it
[x] fix modification
supposedly users should only be able to modify their own pastes
locking
[x] add locked attribute to Share
[x] implement authorization to modify/delete
[x] implement changing lock/unlock state
setting a bool flag in /files/<file> PUT/PATCH/POST
has the be authorized, though
[!] access docstrings without starting up the webserver
https://stackoverflow.com/questions/18214612/how-to-access-app-config-in-a-blueprint
instead of importing app, import this
[x] database migrations
[x] database cleanup
move all the cleanup to a flask cmd
"delete where date < expiry"
[x] write in README about db cleanup and migrations
[x] implement chunked upload
[x] Upload model
does not have a REST API endpoint
[x] upload_id (primary key a.k.a. dzuuid)
[x] backref to Share
[x] list of Chunks
[x] datetime
[x] Chunk model
does not have a REST API endpoint
[x] id (autoincrement)
[x] index
[x] backref to Upload
[x] datetime
we will store chunks as individual files: share uuid + suffix
suffix is
- upload uuid (prevents race condition for two concurrent uploads)
- chunk index
[x] write tests for chunked upload
[?] write more rigorous tests
poke at the chunks themselves
what happens when you send chunks in a race condition,
at the wrong time, with the wrong permissions, etc?
[x] investigate why share_id is set to none
[x] clear out chunk files after they're used
[x] clear out files after they are deleted
[x] implement chunked download
[x] implement File.size
[x] write tests
[x] write test for Range
[x] implement HTTP 416
[x] write appropriate tests
[x] write periodic cleanup for crusty stale uploads and chunks
so right now the issue is that the chunk on_delete event isn't triggering
and we're leaving random files on the disk
[x] add /users API
[x] fix url for users (returned when posting)
[x] create test case
[x] add /users DELETE
[x] added test case
[x] add a note for this in the docs
[x] password change endpoint
[x] tests
[x] docs
[x] investigate "FOREIGN KEY constraint failed"
[x] investigate what happens when you change ownership of a share to a
non-existent user
add a note maybe to the docs
[x] add note about ownership transfers
[x] add note that setting owner to null allows anon users to own it
[x] make sure that reserved names like `login`, `renew` are actually necessary
right now we're only implementing them on the CLI interface
maybe it doesn't matter because we're using POST only for these
and users don't have POST
[x] if they're not necessary we'll tear out the safeguards
[x] also add a warning to related endpoints to be careful
[x] fix bug where users can modify other users' shares' metadata
[x] proper documentation
[x] use a linter on docstrings
[x] Authentication
[x] Paginated APIs
[x] Permissions
[x] User API
[x] url_for docs
[x] Admin API
[x] anon perms
[x] Files API
[x] metadata API
[x] list API
[x] url_for docs
[x] content API
[x] chunked upload protocol
[x] POST
[x] PUT
[x] GET
[x] lock API
(reference this in permissions)
(reference this in the files schema)
[x] cli
[x] getting started (dev)
[x] implement /whoami endpoint
[x] tests
[x] docs
[ ] investigate cleanup being in the user subcmd
[ ] investigate cleanup cmd triggering foreign key failure
[ ] if you create a new user without a required field it gives 500
[ ] if you create a new user with the same name as an existing one it gives 500
[ ] investigate if you can interfere with an upload by setting the same id
[ ] prod deployment config WSGI
[ ] write info about this in docs