Feature/pbs 25 13 (#11253)

* handle django core validation error in drf view

* add unit tests

* add registration_word for registration provider

* [ENG-8290] Allow collection search POST with token scope (#11201)

Purpose

Add scope for POST collection search

* [ENG-8247] Ability to delete draft preprints from database (#11191)

## Purpose
User should be able to delete draft preprints, so that we don't save them in database

## Changes
Added `delete` method.
User can delete a preprint only if it's in initial state, so it means this preprint is a draft

## Ticket
https://openscience.atlassian.net/browse/ENG-8247

* [ENG-8193] Fix issues with Preprint submission via API (#11185)

## Purpose
handle django core ValidationError in drf view

## Ticket
https://openscience.atlassian.net/browse/ENG-8193

* [ENG-8192] Ability to force archive registrations when OSFS Folders have changed (#11194)

## Purpose
fix force archive for some actions

## Changes
- divide revert_log_actions into separate functions
- include trashed children when build a file tree
- add additional retrieval logic for osf_storage_folder_created and osf_storage_file_removed
- add generic retrieval fallback

## Ticket
https://openscience.atlassian.net/browse/ENG-8192

* add additional information to user admin (#11184)

## Purpose
add more information to user admin

## Changes
Added fields:
- id
- Deactivation request
- Change password last attempt
- Change password invalid attempts
- Socials
- User is staff
- Groups

Added dates to:
- Disabled
- Registered
- Confirmed

## Ticket
https://openscience.atlassian.net/browse/ENG-8190

* upgrade django to 4.2.17 (#11173)

## Purpose
Because Django 4.2.15 version has a vulnerability, it was upgraded to 4.2.17

## Changes
Updated pyproject.toml and lock file

## Ticket
https://openscience.atlassian.net/browse/ENG-8176

* added retry to avoid race condition (#11179)

## Purpose

User received an email of archive failure regardless of it was successful. It may happen because `archive_success` is run asynchronously

https://github.com/CenterForOpenScience/osf.io/blob/2328dd60f55e9c1281dcb29dcd45a78a7fd2cc5f/website/archiver/listeners.py#L33-L49

and may be finished before the main thread finishes archiving process. So at first `archive_success` is processed and no files found, thus email is sent, then the main thread finishes files processing and this archiving is successful actually.
Also it's possible that the celery queue had too many tasks to process and when the main thread finishes archiving, user sees his registration and when celery processes `archive_success` tasks that fails, user receives this email.

## Changes
Added a one-time retry.

## Ticket
https://openscience.atlassian.net/browse/ENG-8175?atlOrigin=eyJpIjoiMjg4MWM1YWI1ZTE3NDMyZmEyODk2Y2QxZjlhNjFlOGQiLCJwIjoiaiJ9

* [ENG-8096] Admins on projects are unable to reject user access requests (#11163)

## Purpose
Add default value when reject access request

## Ticket
https://openscience.atlassian.net/browse/ENG-8096

* fix content overflow for node page (#11182)

## Purpose
fix content overflow on the node admin page

## Ticket
https://openscience.atlassian.net/browse/ENG-8063

* don't add multiple group perms for preprint provider (#11159)

## Purpose
don't add multiple group perms for preprint provider

## Changes
- check if user already belongs to some provider group
- change checkbox to radio select

## Ticket
https://openscience.atlassian.net/browse/ENG-8016

* fixed children/parent fields in admin templates (#11156)

## Purpose

Admin templates used nonexistent fields to display children and parent of a node (potentially new fields were added but the old fields weren't replaced by new ones). The templates used `parent` and `children` fields. However an endpoint that adds children and parent to a node uses fields `descendants` (or through `NodeRelation` using `get_nodes` method) and `parent_node` property through `_parents` field

## Changes

Use correct fields

## Notes

Deletion of children nodes that are displayed now is broken. Together with Mark decided to create a separate ticket for this issue

## Ticket

https://openscience.atlassian.net/browse/ENG-7969

* [ENG-7962] Fix User Setting Response Payload async mailchimp perference change issues (#11136)

## Purpose
Correct issues where PATCH responses wouldn't show preferences as updated due to async mailchimp task execution. Overrides instance model to return changed value, even though db value is unchanged until mailchimp confirms.

## Changes
- adds special case for returning desired value synchronously 
- removes `update_osf_help_mails_subscription` because it's not used, but tested.
- adds test cases

## Ticket
https://openscience.atlassian.net/browse/ENG-7962

* improved displaying of stashed urls and approval state in admin (#11193)

## Purpose
Admins feel discomfort while looking for tokens in stashed urls and approval state fields on a registration page in admin

## Changes
Format fields in a json-like way

## Ticket
https://openscience.atlassian.net/browse/ENG-6614?atlOrigin=eyJpIjoiMTdkMTM0YzBmNjljNDcxYTkxNjYzZDRjYTY3NjEyODMiLCJwIjoiaiJ9

* [ENG-5862] SPAM - Fix Wiki Spamming (#11171)

<!-- Before submit your Pull Request, make sure you picked
     the right branch:

     - For hotfixes, select "master" as the target branch
     - For new features, select "develop" as the target branch
     - For release feature fixes, select the relevant release branch (release/X.Y.Z) as the target branch -->

## Purpose
verify if spammy domains are detected

## Changes
- merge check_resource_for_domains_postcommit and check_resource_with_spam_services tasks to avoid race condition
- compare note to value not enum
- log detected domains to sentry

## QA Notes
You can test it with domain [xakw1.com](https://admin.staging3.osf.io/admin/osf/notabledomain/1180/change/?_changelist_filters=q%3Dxakw1.com) on staging3. Currently project won't be banned with this domain, regardless of whether it's public or not.

## Ticket
https://openscience.atlassian.net/browse/ENG-5862

* switch to new UI when user views draft registration file (#11144)

## Purpose
Throughout registration creation user can view attached files. However `resolve_guid` doesn't handle this case and renders the legacy UI that shows error because `get_rdf_type` raises `NotImplementedError`. So this case has no be handled by ember. However when we switch to the new UI, we get `draftnode is not a supported target type`. Also there will be some work for FE because for now ember relies on `node` relationship that draft node/registration don't have. Taking into account Futa's words, it's an unusual flow for ember

## Changes
Added redirect to ember, updated `view_map` that referenced to the non-existing view `draft_nodes:node-detail` to use `draft_nodes:draft-node-detail` view

## Notes
1. I'm not confident that `draft-node` key is still used in `view_map`. From the `resolve` method of `TargetField` I see that keys are either model name in lowercase or `referent._name` that I couldn't find how is created (maybe automatically). However if it existed, there would be some errors that this view does not exist. So I left both keys but with the correct view name. In case you know the answer, I can remove the original key and leave only the correct one

## Ticket
https://openscience.atlassian.net/jira/software/c/projects/ENG/boards/145?selectedIssue=ENG-5810

* [ENG-7929] Ability to move registrations to draft state (#11153)

## Purpose
Admins should be able to revert registration to draft state for the support purposes

## Changes
Added functionality to revert registration back to draft state
Added a button in admin to revert a registration
Added tests

## Notes:
Currently we are discussing with Mark what to do with a registration after admin reverts it, so this ticket cannot be merged. The issue is that when admin reverts registration, it's still displayed for admin, just with deletion date and when user re-registers a draft, the system creates a new registration and the draft is linked to this newest version and admin sees both registrations. So if admin tries to revert the previous version, he'll get an error because the version doesn't have the linked draft. What I've suggested:
1. Fully delete previous registered version so that you won't be able to see it in admin. In this way if the registered version had guid 123ab and user registered the restored draft again, the draft would have another registration with another guid, like 999ss . Basically for user it'll be the same registration, just with another url to access it
2. Add another (or the same) hint for Revert to Draft button that you can't revert this previous version (the easiest solution)
3. One more solution, that I think will be the most complicated between these three, is that we can try to save the guid of an original registered version and whenever admin reverts registration and user registers it again from the same draft, we assign the saved guid to a new registration

**DECISION**:
Option 2 is the most reliable. In case we want #1 or #3 behavior, a new ticket will be created

## Ticket
https://openscience.atlassian.net/browse/ENG-7929

* added a route to download node metadata (#11215)

## Purpose
So right now, our firewall rules aren't advanced enough to be able to let requests from `/<guid>/metadata` go through to osf on staging4. Instead, we have to start with a stable string, and do the dynamic part afterward, hence doing `/metadata/<guid>/`  which we can match with `/metadata/*` in the firewall.

## Changes
Added a corresponding route

## Ticket
https://openscience.atlassian.net/browse/ENG-8261

* add exception handling to /review_actions/ endpoint

* [ENG-8246] Fixed deletion of maintenance alerts in admin (#11226)

What

When you try to delete the active maintenance banner from the admin app, it 502s. The traceback says that there is no url to redirect to and to provide a success url. 

Acceptance Criteria

A user will be able to add a maintenance banner and then delete it. When the banner is added, it will show on the OSF dashboard page (among other places). When deleted, it will no longer show.

* [ENG-8325] Public column does not display the visibility status of child nodes on the Nodes page in the Admin App

Public column does not display the visibility status of child nodes on the Nodes page in the Admin App

* API: Allow /v2/users/me/preprints list view to filter by title

Allow the User Preprints endpoint (/v2/users/me/preprints) to be filterable by title (?filter[title]=example), similar to how the User Nodes endpoint (/v2/users/me/nodes) supports this filter capability

* [ENG-8224] Fixed force archive template with registration addons (#11210)

Enable Product Team to Force Archive Registrations in the Admin App

* add brand relationship to collectionprovider

* Add collections scopes to FULL_READ and FULL_WRITE

* [ENG-8936] API: Allow /v2/users/me/preprints list view to filter by tags (#11232)

* fix categories for sendgrid emails (#11236)

* [ENG-8401] Fixed preprint downloading (#11238)

* fixed preprint downloading

* fixed nonetype

* [ENG-8216] Fixed children deletion on a node page in admin (#11237)

* field children deletion in admin

* improved performance and removed unused attributes

* [ENG-7979] Registrations pending moderation that have components also pending moderation do not display the children (#11222)

* show only public nodes for non-authorized users in the node queryset

* add custom filters to can_view(); include pending nodes for moderators in get_node_count()

* add test

* added academiaInstitution in social-schema, fixed True value of 'ongoing', fixed/added tests (#11239)

## Purpose
V2 API doesn't allow setting `True` value for `ongoing` property in employment/education tabs and set `academiaInstitution` property in social tab

## Changes
Added `academiaInstitution` field in social-schema
Fixed ignored required properties for `ongoing` property in employment/education-schema files
Added new tests and fixed the old ones

## QA Notes
Can be tested only via API
Updates can be viewed in user settings

## Ticket
https://openscience.atlassian.net/browse/ENG-8455

* [ENG-8401] Earlier preprint versions download the current file (#11245)

* fixed earlier version download the newest version file

* fixed tests

* [ENG-8462]  Institution setup fixes (#11241)

* create monthly reports when institution is created

* better exception handling; async generate report

* fix test

* handle deactivated institutions; minor fixes

* [Reopen] [ENG-8192] Ability to force archive registrations when OSF Folders have changed (#11247)

* break force_archive into logical parts; support trashed children

* add unit tests; minor fixes

* fix name collisions issue and general fallback

* add test

* minor fixes

---------

Co-authored-by: Anton Krytskyi <[email protected]>
Co-authored-by: ihorsokhanexoft <[email protected]>
Co-authored-by: John Tordoff <[email protected]>
Co-authored-by: futa-ikeda <[email protected]>

Author: 5 people

addons/base/views.py

@@ -1006,13 +1006,17 @@ def persistent_file_download(auth, **kwargs):
     file = BaseFileNode.active.filter(_id=id_or_guid).first()
     if not file:
         guid = Guid.load(id_or_guid)
-        if guid:
-            file = guid.referent
-        else:
+        if not guid:
             raise HTTPError(http_status.HTTP_404_NOT_FOUND, data={
                 'message_short': 'File Not Found',
                 'message_long': 'The requested file could not be found.'
             })
+
+        file = guid.referent
+        if type(file) is Preprint:
+            referent, _ = Guid.load_referent(id_or_guid)
+            file = referent.primary_file
+
     if not file.is_file:
         raise HTTPError(http_status.HTTP_400_BAD_REQUEST, data={
             'message_long': 'Downloading folders is not permitted.'

admin/institutions/urls.py

@@ -9,6 +9,7 @@
     re_path(r'^import/$', views.ImportInstitution.as_view(), name='import'),
     re_path(r'^(?P<institution_id>[0-9]+)/$', views.InstitutionDetail.as_view(), name='detail'),
     re_path(r'^(?P<institution_id>[0-9]+)/export/$', views.InstitutionExport.as_view(), name='export'),
+    re_path(r'^(?P<institution_id>[0-9]+)/monthly_report/$', views.InstitutionMonthlyReporterDo.as_view(), name='monthly_report'),
     re_path(r'^(?P<institution_id>[0-9]+)/delete/$', views.DeleteInstitution.as_view(), name='delete'),
     re_path(r'^(?P<institution_id>[0-9]+)/deactivate/$', views.DeactivateInstitution.as_view(), name='deactivate'),
     re_path(r'^(?P<institution_id>[0-9]+)/reactivate/$', views.ReactivateInstitution.as_view(), name='reactivate'),

admin/institutions/views.py

@@ -1,4 +1,5 @@
 import json
+from dateutil.parser import isoparse
 
 from django.contrib import messages
 from django.contrib.auth.mixins import PermissionRequiredMixin
@@ -15,6 +16,9 @@
 from admin.base.forms import ImportFileForm
 from admin.institutions.forms import InstitutionForm, InstitutionalMetricsAdminRegisterForm
 from osf.models import Institution, Node, OSFUser
+from osf.metrics.utils import YearMonth
+from osf.metrics.reporters import AllMonthlyReporters
+from osf.management.commands.monthly_reporters_go import monthly_reporter_do
 
 
 class InstitutionList(PermissionRequiredMixin, ListView):
@@ -129,6 +133,38 @@ def get(self, request, *args, **kwargs):
         return response
 
 
+class InstitutionMonthlyReporterDo(PermissionRequiredMixin, View):
+    permission_required = 'osf.view_institution'
+    raise_exception = True
+
+    def post(self, request, *args, **kwargs):
+        institution_id = self.kwargs.get('institution_id')
+        try:
+            institution = Institution.objects.get_all_institutions().get(id=institution_id)
+        except Institution.DoesNotExist:
+            raise Http404(f"Institution with id {institution_id} is not found or deactivated.")
+
+        monthly_report_date = request.POST.get('monthly_report_date', None)
+        if monthly_report_date:
+            try:
+                monthly_report_date = isoparse(monthly_report_date).date()
+            except ValueError as exc:
+                messages.error(request, str(exc))
+                return redirect('institutions:detail', institution_id=institution.id)
+        else:
+            messages.error(request, 'Report date cannot be none.')
+            return redirect('institutions:detail', institution_id=institution.id)
+
+        monthly_reporter_do.apply_async(kwargs={
+            'yearmonth': str(YearMonth.from_date(monthly_report_date)),
+            'reporter_key': request.POST.get('monthly_reporter', None),
+            'report_kwargs': {'institution_pk': institution.id},
+        })
+
+        messages.success(request, 'Monthly reporter successfully went.')
+        return redirect('institutions:detail', institution_id=institution.id)
+
+
 class CreateInstitution(PermissionRequiredMixin, CreateView):
     permission_required = 'osf.change_institution'
     raise_exception = True
@@ -141,6 +177,18 @@ def get_context_data(self, *args, **kwargs):
         kwargs['import_form'] = ImportFileForm()
         return super().get_context_data(*args, **kwargs)
 
+    def form_valid(self, form):
+        response = super().form_valid(form)
+
+        # Make a report after Institution is created
+        monthly_reporter_do.apply_async(kwargs={
+            'yearmonth': str(YearMonth.from_date(self.object.created)),
+            'reporter_key': AllMonthlyReporters.INSTITUTIONAL_SUMMARY.name,
+            'report_kwargs': {'institution_pk': self.object.id},
+        })
+
+        return response
+
 
 class InstitutionNodeList(PermissionRequiredMixin, ListView):
     template_name = 'institutions/node_list.html'

admin/maintenance/views.py

@@ -6,6 +6,7 @@
 from admin.maintenance.forms import MaintenanceForm
 
 from django.shortcuts import redirect
+from django.urls import reverse_lazy
 from django.forms.models import model_to_dict
 from django.views.generic import DeleteView, TemplateView
 from django.contrib.auth.mixins import PermissionRequiredMixin
@@ -15,11 +16,13 @@ class DeleteMaintenance(PermissionRequiredMixin, DeleteView):
     permission_required = 'osf.delete_maintenancestate'
     raise_exception = True
     template_name = 'maintenance/delete_maintenance.html'
+    success_url = reverse_lazy('maintenance:display')
 
     def get_object(self, queryset=None):
         return MaintenanceState.objects.first()
 
-    def delete(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
+        super().post(request, *args, **kwargs)
         maintenance.unset_maintenance()
         return redirect('maintenance:display')
 

admin/management/views.py

@@ -130,6 +130,7 @@ def post(self, request, *args, **kwargs):
                 if report_date is not None
                 else ''
             ),
+            reporter_key=request.POST.get('monthly_reporter', '')
         )
 
         if errors:

admin/nodes/urls.py

@@ -45,4 +45,5 @@
     re_path(r'^(?P<guid>[a-z0-9]+)/remove_notifications/$', views.NodeRemoveNotificationView.as_view(), name='node-remove-notifications'),
     re_path(r'^(?P<guid>[a-z0-9]+)/update_moderation_state/$', views.NodeUpdateModerationStateView.as_view(), name='node-update-mod-state'),
     re_path(r'^(?P<guid>[a-z0-9]+)/resync_datacite/$', views.NodeResyncDataCiteView.as_view(), name='resync-datacite'),
+    re_path(r'^(?P<guid>[a-z0-9]+)/revert/$', views.NodeRevertToDraft.as_view(), name='revert-to-draft'),
 ]

admin/nodes/views.py

@@ -14,7 +14,6 @@
     View,
     FormView,
     ListView,
-    TemplateView,
 )
 from django.shortcuts import redirect, reverse, get_object_or_404
 from django.urls import reverse_lazy
@@ -102,11 +101,16 @@ def get_context_data(self, **kwargs):
         node = self.get_object()
 
         detailed_duplicates = detect_duplicate_notifications(node_id=node.id)
-
+        children = node.get_nodes(is_node_link=False)
+        # Annotate guid because django templates prohibit accessing attributes that start with underscores
+        children = AbstractNode.objects.filter(
+            id__in=[child.id for child in children]
+        ).prefetch_related('guids').annotate(guid=F('guids___id'))
         context.update({
             'SPAM_STATUS': SpamStatus,
             'STORAGE_LIMITS': settings.StorageLimits,
             'node': node,
+            'children': children,
             'duplicates': detailed_duplicates
         })
 
@@ -193,10 +197,9 @@ def add_contributor_removed_log(self, node, user):
         ).save()
 
 
-class NodeDeleteView(NodeMixin, TemplateView):
+class NodeDeleteView(NodeMixin, View):
     """ Allows authorized users to mark nodes as deleted.
     """
-    template_name = 'nodes/remove_node.html'
     permission_required = ('osf.view_node', 'osf.delete_node')
     raise_exception = True
 
@@ -761,7 +764,7 @@ def post(self, request, *args, **kwargs):
 
         allow_unconfigured = force_archive_params.get('allow_unconfigured', False)
 
-        addons = set(force_archive_params.getlist('addons', []))
+        addons = set(registration.registered_from.get_addon_names())
         addons.update(DEFAULT_PERMISSIBLE_ADDONS)
 
         try:
@@ -780,8 +783,8 @@ def post(self, request, *args, **kwargs):
                     registration,
                     permissible_addons=addons,
                     allow_unconfigured=allow_unconfigured,
-                    skip_collision=skip_collision,
-                    delete_collision=delete_collision,
+                    skip_collisions=skip_collision,
+                    delete_collisions=delete_collision,
                 )
                 messages.success(request, 'Registration archive process has finished.')
             except Exception as exc:
@@ -800,3 +803,12 @@ def post(self, request, *args, **kwargs):
         registration = self.get_object()
         registration.request_identifier_update('doi', create=True)
         return redirect(self.get_success_url())
+
+
+class NodeRevertToDraft(NodeMixin, View):
+    permission_required = 'osf.change_node'
+
+    def post(self, request, *args, **kwargs):
+        registration = self.get_object()
+        registration.to_draft()
+        return redirect(self.get_success_url())

admin/preprint_providers/forms.py

@@ -116,10 +116,10 @@ def __init__(self, *args, provider_groups=None, **kwargs):
         super().__init__(*args, **kwargs)
 
         provider_groups = provider_groups or Group.objects.none()
-        self.fields['group_perms'] = forms.ModelMultipleChoiceField(
+        self.fields['group_perms'] = forms.ModelChoiceField(
             queryset=provider_groups,
             required=False,
-            widget=forms.CheckboxSelectMultiple
+            widget=forms.RadioSelect
         )
 
     user_id = forms.CharField(required=True, max_length=5, min_length=5)

admin/preprint_providers/views.py

@@ -481,10 +481,14 @@ def form_valid(self, form):
         if not osf_user:
             raise Http404(f'OSF user with id "{user_id}" not found. Please double check.')
 
-        for group in form.cleaned_data.get('group_perms'):
-            self.target_provider.add_to_group(osf_user, group)
+        if osf_user.has_groups(self.target_provider.group_names):
+            messages.error(self.request, f'User with guid: {user_id} is already a moderator or admin')
+            return super().form_invalid(form)
 
+        group = form.cleaned_data.get('group_perms')
+        self.target_provider.add_to_group(osf_user, group)
         osf_user.save()
+
         messages.success(self.request, f'Permissions update successful for OSF User {osf_user.username}!')
         return super().form_valid(form)
 

admin/providers/views.py

@@ -29,8 +29,7 @@ def post(self, request, *args, **kwargs):
             messages.error(request, f'User for guid: {data["add-moderators-form"][0]} could not be found')
             return redirect(f'{self.url_namespace}:add_admin_or_moderator', provider_id=provider.id)
 
-        groups = [provider.format_group(name) for name in provider.groups.keys()]
-        if target_user.has_groups(groups):
+        if target_user.has_groups(provider.group_names):
             messages.error(request, f'User with guid: {data["add-moderators-form"][0]} is already a moderator or admin')
             return redirect(f'{self.url_namespace}:add_admin_or_moderator', provider_id=provider.id)