Recent Posts

This blog post explains the requirements & implementation details of a secure route over which the tickets could be served in the Open Event Project (Eventyay). Eventyay is the Open Event management solution using standardized event formats developed at FOSSASIA. Sometimes, tickets of a user can be utilized in the process of fraudulent actions. To prevent this, security is of the utmost importance. Prior to this feature, anonymous/unauthorized users were able to access the tickets which belonged to another user with a simple link. There was no provision of any authentication check.  An additional problem with the tickets were the storage methodology where the tickets were stored in a top-level folder which was not protected. Therefore, there was a necessity to implement a flask route which could check if the user was authenticated, the ticket belonged to the authorized user/admin/organizer of the event and provide proper exceptions in other cases.  Ticket completion page with option to download tickets When the user places an order and it goes through successfully,the ticket is generated, stored in a protected folder and the user is redirected to the order completion page where they would be able to download their tickets. When the user clicks on the Download Tickets Button, the ticket_blueprint route is triggered. @ticket_blueprint.route('/tickets/<string:order_identifier>') @jwt_required def ticket_attendee_authorized(order_identifier): if current_user: try: order = Order.query.filter_by(identifier=order_identifier).first() except NoResultFound: return NotFoundError({'source': ''}, 'This ticket is not associated with any order').respond() if current_user.can_download_tickets(order): key = UPLOAD_PATHS['pdf']['tickets_all'].format(identifier=order_identifier) file_path = '../generated/tickets/{}/{}/'.format(key, generate_hash(key)) + order_identifier + '.pdf' try: return return_file('ticket', file_path, order_identifier) except FileNotFoundError: create_pdf_tickets_for_holder(order) return return_file('ticket', file_path, order_identifier) else: return ForbiddenError({'source': ''}, 'Unauthorized Access').respond() else: return ForbiddenError({'source': ''}, 'Authentication Required to access ticket').respond()                          tickets_route - the logic pertaining to security module for attendee tickets The function associated with the ticket downloads queries the Order model using the order identifier as a key. Then, it checks if the current authenticated user is either a staff member, the owner of the ticket or the organizer of the ticket. If it passes this check, the file path is generated and tickets are downloaded using the return_tickets function. In the return_tickets function, we utilize the send_file function imported from Flask and wrap it with flask’s make_response function. In addition to that, we attach headers to specify that it is an attachment and add an appropriate name to it. def return_file(file_name_prefix, file_path, identifier): response = make_response(send_file(file_path)) response.headers['Content-Disposition'] = 'attachment; filename=%s-%s.pdf' % (file_name_prefix, identifier) return response return_tickets function - sends the file as a make_response with appropriate headers When it comes to exception handling, at each stage whenever a ticket is not to be found while querying or the authentication check fails, a proper exception is thrown to the user. For example, at the step where an attempt is made to return the file using file path after authentication, if the tickets are NotFound, the tickets are generated on the fly.  def can_download_tickets(self, order): permissible_users = [holder.id for holder in order.ticket_holders] + [order.user.id] if self.is_staff or self.has_event_access(order.event.id) or self.id in permissible_users: return True return False can_download_tickets…

In the Neurolab-Android app, we have been using an Arduino board for development as a workaround to the actual Neurolab hardware which is currently in the manufacturing stages. Along with the Arduino, we use a Micro SD card module with an SD card attached containing a dataset file in it. This combination of the Arduino and the SD card module serves as the source of dataflow into the Android app. Firstly, we need to get the Arduino programmed for reading the dataset file from the SD card in the SD card module. We program the Arduino using the Arduino IDE on any desktop platform. 1. Import required libraries before starting off, namely the SPI and SD libraries for serial communication and SD card related functions respectively. Let us also set up some constant values which are going to be used in various parts of the code needed to program the Arduino for our required purpose. #include <SD.h> #include <SPI.h> int baudRate = 9600; int chipSelect = 4; String fileName = "Dataset1.csv"; The ‘chipSelect’ variable denotes the chip select pin number for the connected Micro SD card adapter (module). The baud rate for the Arduino board has been set to 9600 as a default. The dataset stored in the SD card from which the data needs to be read has been named “Dataset1”. 2. Next, we will need to initialize the SD card to check even if an SD card is inserted or not in the SD card module. We create a function for this purpose named ‘initializeSDCard’ in the following way: bool initializeSDCard() { if (!SD.begin(chipSelect)) { return false; } return true; } The function will return true if initialization was successful. An unsuccessful initialization may also be due to the fact of SD card corrupted apart from not being properly inserted into the module. 3. Now we will be opening the dataset file from the SD card, making it ready to be read from. File openTheFileFromSDCard(String fileName) { File file = SD.open(fileName); if (!file) { Serial.println("error opening: " + fileName); return file; } return file; } The function will take in the file name as an argument and open it from the SD card. If the file is not found in the SD card, it will simply print out an error message to the serial output. It returns the file object in a true or false context accordingly. 4. We are now going to read data from the dataset in the SD card line by line using a function. The dataset file instance is passed as an argument to this function. This file is read and transmitted over the serial output channel line by line with '\n' as the line delimiter, skipping null lines. void readFromSDCardToSerialOutputLineByLine(File file) { String line; while (file.available()) { line = file.readStringUntil('\n'); line.trim(); if (line != "") { Serial.println(line); } } Serial.println("Recorded"); file.close(); } This function will keep reading from the file untill it has nothing more i.e till the end of file. 5. Next,…

This blog post emphasizes on the feature of translation archiving and download routes. The Open Event Project, popularly known as Eventyay is an event management solution which provides a robust platform to manage events, schedules multi-track sessions and supports many other features. Prior to the actual implementation of this feature, a blueprint had to be registered in the flask app which handles the archiving and downloads logic for the translations. In addition, as this is only specific for administrators, the route had to be secured with access control. The access is controlled with the help of the is_admin decorator which checks if the user attempting to access the route is an admin.  from flask import send_file, Blueprint import shutil import uuid import tempfile import os from app.api.helpers.permissions import is_admin admin_blueprint = Blueprint('admin_blueprint', __name__, url_prefix='/v1/admin/content/translations/all') temp_dir = tempfile.gettempdir() translations_dir = 'app/translations' @admin_blueprint.route('/', methods=['GET']) @is_admin def download_translations(): """Admin Translations Downloads""" uuid_literal = uuid.uuid4() zip_file = "translations{}".format(uuid_literal) zip_file_ext = zip_file+'.zip' shutil.make_archive(zip_file, "zip", translations_dir) shutil.move(zip_file_ext, temp_dir) path_to_zip = os.path.join(temp_dir, zip_file_ext) from .helpers.tasks import delete_translations delete_translations.apply_async(kwargs={'zip_file_path': path_to_zip}, countdown=600) return send_file(path_to_zip, mimetype='application/zip', as_attachment=True, attachment_filename='translations.zip')                                                          Code Snippet - Translations archiving We utilize the shutil library to create archives of the specified directory which is the translations directory here. The directory file path which is to be archived must point to the folder with sub-directories of various language translations. We append a unique name generated by the UUID(Universally Unique Identifier) to the generated translations zip file. Also observe that the translations archive is saved to the temp folder. This is because the zip archive needs to be deleted after a certain amount of time. This time window mustn’t be too bounded as there might be multiple admins who might want to access these translations at the same time. Therefore, it is saved in the temp folder for 10 mins. import Controller from '@ember/controller'; import { action } from '@ember/object'; export default class extends Controller { isLoading = false; @action async translationsDownload() { this.set('isLoading', true); try { const result = this.loader.downloadFile('/admin/content/translations/all/'); const anchor = document.createElement('a'); anchor.style.display = 'none'; anchor.href = URL.createObjectURL(new Blob([result], { type: 'octet/stream' })); anchor.download = 'Translations.zip'; anchor.click(); this.notify.success(this.l10n.t('Translations Zip generated successfully.')); } catch (e) { console.warn(e); this.notify.error(this.l10n.t('Unexpected error occurred.')); } this.set('isLoading', false); } }                                            Code Snippet - Frontend logic for anchor downloads To make this work on all browsers, the frontend part handles the downloads via an action in the controller. The action translationsDownload is linked to the download button which uses the download method in the loader service to hit the specific route and fetch the resource intuitively. This is stored in a constant result. After this, an HTML anchor is created explicitly and its attribute values are updated. The href of the anchor is set to the result of the resource fetched using the loader service with a Blob.  Then a click action is triggered to download this file. As the loader service returns a Promise, we use an async function as the action to resolve it. In cases of failures, the notify service…