Currently the upload endpoint reads the request stream which contains the package to upload and then asserts if the user has access to the channel. Depending on the size of the package this could mean that it could take a bit of time before Quetz responds with 403 status code.
|
@api_router.post( |
|
"/channels/{channel_name}/upload/{filename}", status_code=201, tags=["upload"] |
|
) |
|
async def post_upload( |
|
background_tasks: BackgroundTasks, |
|
request: Request, |
|
channel_name: str, |
|
filename: str, |
|
sha256: str, |
|
force: bool = False, |
|
dao: Dao = Depends(get_dao), |
|
auth: authorization.Rules = Depends(get_rules), |
|
): |
|
logger.debug( |
|
f"Uploading file {filename} with checksum {sha256} to channel {channel_name}" |
|
) |
|
|
|
upload_hash = hashlib.sha256() |
|
body = TemporaryFile() |
|
async for chunk in request.stream(): |
|
body.write(chunk) |
|
upload_hash.update(chunk) |
|
|
|
if sha256 and upload_hash.hexdigest() != sha256: |
|
raise HTTPException( |
|
status_code=status.HTTP_406_NOT_ACCEPTABLE, detail="Wrong SHA256 checksum" |
|
) |
|
|
|
# here we use the owner_id as user_id. In case the authentication |
|
# was done using an API Key, we want to attribute the uploaded package |
|
# to the owner of that API Key and not the anonymous API Key itself. |
|
user_id = auth.assert_owner() |
|
|
|
auth.assert_create_package(channel_name) |
Quetz should asserts the permissions to the channel before reading the package from the request body so it can fail early.
