Remove API Key form user profile

[voogt]

• Remove generation of API Key from user profile

[gubuntu]

access via the API is a requirement so there must still be a way to get a key - think about and propose a solution here and discuss with client too before implementing

[voogt]

Hi @gubuntu I'm referring to this bit here If you generate an api key on your profile you are free to upload files and bypass any restrictions using ckan's api. If I remove this bit from the profile users are still able to upload resources to datasets but they cant use ckan's api as described in this documentation https://docs.ckan.org/en/2.9/maintaining/filestore.html#filestore-api

[voogt]

@gubuntu what was the original requirement for use of the API key?

[gubuntu]

RF24 and 29 https://github.com/kartoza/ckanext-dalrrd-emc-dcpr/wiki/Functional-Requirements and see the requirements and design docs for more details.

So I think only users with insert and update permissions in the first place should be able to generate and use a key

[voogt]

Update Filestorage API security

[voogt]

file check is added for the following types to not allow upload:

• "text/html",
• "application/java",
• "application/java-byte-code",
• "application/x-javascript",
• "application/javascript",
• "application/ecmascript",
• "text/javascript",
• "text/ecmascript",
• "application/octet-stream",
• "text/x-server-parsed-html",
• "text/x-server-parsed-html"

[voogt]

• Test new security updates