From a898191678fcf600ff77be7d6960c4d89b122f59 Mon Sep 17 00:00:00 2001
From: Javier Barbero <jbarbero@uco.es>
Date: Mon, 28 Nov 2022 17:37:00 +0100
Subject: [PATCH] Protect access to PlotViewer routes

---
 signac_dashboard/modules/plot_viewer.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/signac_dashboard/modules/plot_viewer.py b/signac_dashboard/modules/plot_viewer.py
index d9e307cd..cbfc17a1 100644
--- a/signac_dashboard/modules/plot_viewer.py
+++ b/signac_dashboard/modules/plot_viewer.py
@@ -3,6 +3,7 @@
 # This software is licensed under the BSD 3-Clause License.
 from typing import Callable, Dict, Iterable, List, Tuple, Union
 
+import flask_login
 from flask import abort, render_template
 from jinja2.exceptions import TemplateNotFound
 from signac import Project
@@ -12,13 +13,6 @@
 from signac_dashboard.module import Module
 
 
-def plot_viewer_asset(filename):
-    try:
-        return render_template(f"plot_viewer/{filename}")
-    except TemplateNotFound:
-        abort(404, "The file requested does not exist.")
-
-
 class PlotViewer(Module):
     """Displays a plot associated with the job.
 
@@ -96,7 +90,13 @@ def get_cards(self, job_or_project):
 
     def register(self, dashboard: Dashboard):
         # Register routes
-        dashboard.app.route("/module/plot_viewer/<path:filename>")(plot_viewer_asset)
+        @dashboard.app.route("/module/plot_viewer/<path:filename>")
+        @flask_login.login_required
+        def plot_viewer_asset(filename):
+            try:
+                return render_template(f"plot_viewer/{filename}")
+            except TemplateNotFound:
+                abort(404, "The file requested does not exist.")
 
         # Register assets
         assets = ["js/plot_viewer.js"]