Merge pull request #264 from CSCfi/CSCMETAX-394-remove-sensitive-data-in-oai-pmh

CSCMETAX-394: [ADD] Remove sensitive fields (email, phone, telephone)…

Author: junsk1

src/metax_api/api/oaipmh/base/metax_oai_server.py

@@ -204,6 +204,12 @@ def _get_oai_datacite_metadata(self, record):
 
     def _get_metadata_for_record(self, record, metadata_prefix):
         meta = {}
+
+        # strip sensitive fields from research_dataset. note: the modified research_dataset
+        # is placed back into the record's research_dataset -field. meaning, an accidental call
+        # of record.save() would overwrite the original data
+        record.research_dataset = CRS.strip_catalog_record(record.research_dataset)
+
         if metadata_prefix == 'oai_dc':
             meta = self._get_oai_dc_metadata(record)
         elif metadata_prefix == 'oai_datacite':

src/metax_api/tests/api/oaipmh/minimal_api.py

@@ -231,3 +231,35 @@ def test_get_oai_dc_metadata(self):
         self.assertTrue('identifier' in md)
         self.assertTrue('title' in md)
         self.assertTrue('lang' in md['title'][0])
+
+    def test_sensitive_fields_are_removed(self):
+        """
+        Ensure some sensitive fields are never present in output of OAI-PMH apis
+        """
+        sensitive_field_values = [ '[email protected]', '999-123-123', '999-456-456' ]
+
+        def _check_fields(content):
+            """
+            Verify sensitive fields values are not in the content. Checking for field value, instead
+            of field name, since the field names might be different in Datacite etc other formats.
+            """
+            for sensitive_field_value in sensitive_field_values:
+                self.assertEqual(sensitive_field_value not in str(content), True,
+                    'field %s should have been stripped' % sensitive_field_value)
+
+        # setup some records to have sensitive fields
+        for cr in CatalogRecord.objects.filter(pk__in=(1, 2, 3)):
+            cr.research_dataset['curator'][0].update({
+                'email': sensitive_field_values[0],
+                'phone': sensitive_field_values[1],
+                'telephone': sensitive_field_values[2],
+            })
+            cr.force_save()
+
+        response = self.client.get('/oai/?verb=GetRecord&identifier=%s&metadataPrefix=oai_dc' % self.identifier)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        _check_fields(response.content)
+
+        response = self.client.get('/oai/?verb=GetRecord&identifier=%s&metadataPrefix=oai_datacite' % self.identifier)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        _check_fields(response.content)