static notebooks

[saroele]

Would be nice to have a few notebooks on the page. They often group analyses for different devices and give an nice overview of different use cases. Could also be a simple way to share some results in development mode on the site.

I'm thinking of:

• a page with overview of the notebooks (links)
• for each link: the notebook is opened (in a separate tab?)

Maybe something for next developer meeting too.

[WolfBerwouts]

A simple implementation in #88. Exports of notebooks can be dropped in static/sandbox and will be visible for everybody.

Can be extended in the future.

[JrtPec]

I have fixed the conflicts in #88 and merged, so the sandbox is ready for deployment on the server. However, right now it will only work with files that are put on the server directly, so you'd have to use scp to upload them. How about adding an upload button in flask? I think I have some sample code lying around somewhere.

[WolfBerwouts]

Should be done with much care. Very dangerous if someone can upload malicious code directly on the server. I would not recommend.

[JrtPec]

You're right, but this is not PHP. I'm pretty sure Flask has this covered. We will treat the file as unsafe and upload to a specific folder, than serve it as-is back to the browser. It will never be treated as runnable code.

[JrtPec]

It is also fairly easy to put a check on the extension. We'll only allow images and html.

[JrtPec]

I have made a simple upload box that saves files to the sandbox folder, it is in the manual-notebook-results branch. I did some research to make sure there is no possibility of code injection, and I'm pretty confident that it is secure. The content of a file is never evaluated (and never treated as safe), the file name is escaped by secure_filename which removes stuff like ../../test.png, so a file is only saved in the folder we specify. I have also added a restriction on the extension (only images, pdf and html).

Check it out, I think it's pretty nice.

Restrictions: There is no check on duplicate file names, so it will just overwrite if you upload something with the same name. You cannot delete files. We could also add a small form for the author and a small description.

[saroele]

I won't have time to check anything the coming 10 days. Jan, Wolf, feel free to deploy! Op 24 mrt. 2016 16:36 schreef "Jan Pecinovsky" notifications@github.com:

I have made a simple upload box that saves files to the sandbox folder, it is in the manual-notebook-results branch. I did some research to make sure there is no possibility of code injection, and I'm pretty confident that it is secure. The content of a file is never evaluated (and never treated as safe), the file name is escaped by secure_filename which removes stuff like ../../test.png, so a file is only saved in the folder we specify. I have also added a restriction on the extension (only images, pdf and html).

Check it out, I think it's pretty nice.

Restrictions: There is no check on duplicate file names, so it will just overwrite if you upload something with the same name. You cannot delete files. We could also add a small form for the author and a small description.

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/opengridcc/website/issues/79#issuecomment-200890349

[JrtPec]

Accessing the sandbox now requires that you are logged in and are an OpenGrid contributor, so I think we're good :-)

[saroele]

I really love the sandbox :-) We can probably close this issue, unless we keep it open for tweaking the sandbox (like a small form for author and description). To be discussed next dev meeting

[JrtPec]

I would like to a function that either doesn’t allow you to upload a file with a name that already exists, or adds a suffix in that case, because right now it is too easy to accidentally overwrite existing files.

A box for author and description would require a database, which is something on our to do list, but it is quite a large development.

[JrtPec]

I have made it so it is impossible to upload a file if the file name already exists, so we won't have accidental overwrites.