From 8bb7aa9dd14c94a607adc49862cc65e04b78154a Mon Sep 17 00:00:00 2001
From: Sasha Ames <sashakames@users.noreply.github.com>
Date: Thu, 22 Sep 2022 18:16:11 -0700
Subject: [PATCH] for now whitelist citations to only the DRKZ server (#474)

* for now whitelist citations to only the DRKZ server

* fix isort, test code

* fix assert
---
 backend/metagrid/api_proxy/tests/test_views.py | 7 +++++++
 backend/metagrid/api_proxy/views.py            | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/backend/metagrid/api_proxy/tests/test_views.py b/backend/metagrid/api_proxy/tests/test_views.py
index 90df90027..3902e688e 100644
--- a/backend/metagrid/api_proxy/tests/test_views.py
+++ b/backend/metagrid/api_proxy/tests/test_views.py
@@ -33,3 +33,10 @@ def test_citation(self):
 
         response = self.client.post(url, jo, format="json")
         assert response.status_code == status.HTTP_200_OK
+
+        jo = {
+            "citurl": "https://aims4.llnl.gov/WDCC/meta/CMIP6/CMIP6.CMIP.IPSL.IPSL-CM6A-LR.abrupt-4xCO2.r12i1p1f1.Amon.n2oglobal.gr.v20191003.json"
+        }
+
+        response = self.client.post(url, jo, format="json")
+        assert response.status_code != status.HTTP_200_OK
diff --git a/backend/metagrid/api_proxy/views.py b/backend/metagrid/api_proxy/views.py
index 87399424d..0ffb77d9c 100644
--- a/backend/metagrid/api_proxy/views.py
+++ b/backend/metagrid/api_proxy/views.py
@@ -1,4 +1,5 @@
 import json
+from urllib.parse import urlparse
 
 import requests
 from django.http import HttpResponse, HttpResponseBadRequest
@@ -27,6 +28,12 @@ def do_citation(request):
         return HttpResponseBadRequest()
 
     url = jo["citurl"]
+
+    parsed_url = urlparse(url)
+
+    if not parsed_url.hostname == "cera-www.dkrz.de":
+        return HttpResponseBadRequest()
+
     try:
         resp = requests.get(url)
     except Exception:  # pragma: no cover