CSCMETAX-394: [ADD] Remove sensitive fields (email, phone, telephone) from OAI-PMH api outputs

Hannu Kamarainen · Hannu Kamarainen · commit bb654a64fc3a · 2018-05-30T13:44:37.000+03:00
diff --git a/src/metax_api/api/oaipmh/base/metax_oai_server.py b/src/metax_api/api/oaipmh/base/metax_oai_server.py
@@ -204,6 +204,12 @@ def _get_oai_datacite_metadata(self, record):
 
     def _get_metadata_for_record(self, record, metadata_prefix):
         meta = {}
+
+        # strip sensitive fields from research_dataset. note: the modified research_dataset
+        # is placed back into the record's research_dataset -field. meaning, an accidental call
+        # of record.save() would overwrite the original data
+        # record.research_dataset = CRS.strip_catalog_record(record.research_dataset)
+
         if metadata_prefix == 'oai_dc':
             meta = self._get_oai_dc_metadata(record)
         elif metadata_prefix == 'oai_datacite':
diff --git a/src/metax_api/tests/api/oaipmh/minimal_api.py b/src/metax_api/tests/api/oaipmh/minimal_api.py
@@ -231,3 +231,33 @@ def test_get_oai_dc_metadata(self):
         self.assertTrue('identifier' in md)
         self.assertTrue('title' in md)
         self.assertTrue('lang' in md['title'][0])
+
+    def test_sensitive_fields_are_removed(self):
+        """
+        Ensure some sensitive fields are never present in output of OAI-PMH apis
+        """
+
+        def _check_fields(content):
+            """
+            Verify sensitive fields are not in the content
+            """
+            for sensitive_field in ['email', 'telephone', 'phone']:
+                self.assertEqual(sensitive_field not in str(content), True,
+                    'field %s should have been stripped' % sensitive_field)
+
+        # setup some records to have sensitive fields
+        for cr in CatalogRecord.objects.filter(pk__in=(1, 2, 3)):
+            cr.research_dataset['curator'][0].update({
+                'email': 'email@mail.com',
+                'phone': '123124',
+                'telephone': '123124',
+            })
+            cr.force_save()
+
+        response = self.client.get('/oai/?verb=GetRecord&identifier=%s&metadataPrefix=oai_dc' % self.identifier)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        _check_fields(response.content)
+
+        response = self.client.get('/oai/?verb=GetRecord&identifier=%s&metadataPrefix=oai_datacite' % self.identifier)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        _check_fields(response.content)
