ScilifelabDataCentre
diff --git a/‎.github/pull_request_template.md‎
Lines changed: 26 additions & 18 deletions b/‎.github/pull_request_template.md‎
Lines changed: 26 additions & 18 deletions
diff --git a/‎CHANGELOG.rst‎
Lines changed: 19 additions & 0 deletions b/‎CHANGELOG.rst‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎SPRINTLOG.md‎
Lines changed: 15 additions & 0 deletions b/‎SPRINTLOG.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎dds_web/api/project.py‎
Lines changed: 27 additions & 11 deletions b/‎dds_web/api/project.py‎
Lines changed: 27 additions & 11 deletions
diff --git a/‎dds_web/api/schemas/project_schemas.py‎
Lines changed: 44 additions & 30 deletions b/‎dds_web/api/schemas/project_schemas.py‎
Lines changed: 44 additions & 30 deletions
diff --git a/‎dds_web/api/user.py‎
Lines changed: 3 additions & 3 deletions b/‎dds_web/api/user.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎dds_web/errors.py‎
Lines changed: 2 additions & 5 deletions b/‎dds_web/errors.py‎
Lines changed: 2 additions & 5 deletions
@@ -1,29 +1,37 @@
-## Read this before submitting the PR
+## Pull Request Template
 
-1. Always create a Draft PR first
-2. Go through sections 1-5 below, fill them in and check all the boxes
-3. Make sure that the branch is updated; if there's an "Update branch" button at the bottom of the PR, rebase or update branch.
-4. When all boxes are checked, information is filled in, and the branch is updated: mark as Ready For Review and tag reviewers (top right)
-5. Once there is a submitted review, implement the suggestions (if reasonable, otherwise discuss) and request an new review.
+### Before Marking as Ready for Review
 
-If there is a field which you are unsure about, enter the edit mode of this description or go to the [PR template](../.github/pull_request_template.md); There are invisible comments providing descriptions which may be of help.
+- [ ] Add relevant information to the sections below ([Summary](#summary) etc)
+- [ ] Rebase or merge the latest `dev` (or other targeted branch)
+- [ ] Update documentation if needed
+- [ ] Add an entry to the [`SPRINTLOG.md`](https://github.com/ScilifelabDataCentre/dds_web/blob/dev/SPRINTLOG.md) if needed
+- [ ] Choose an appropriate label. See [here](https://github.com/ScilifelabDataCentre/dds_web/blob/dev/docs/procedures/labelling_a_pull_request.md) for information on the labelling options
+- [ ] The code follows the [style guidelines](https://github.com/ScilifelabDataCentre/dds_web/blob/dev/docs/procedures/style_guidelines.md)
+- [ ] Perform a self-review: read the diff as if reviewing someone else's code
+- [ ] I have commented the code, particularly in hard-to-understand areas
+- [ ] Verify that all checks and tests have passed
 
-## 1. Description / Summary
+**If the target branch is `master`**:
 
-**Add a summary here**: What does this PR add/change and why?
+- [ ] Read and follow [the release instructions](https://github.com/ScilifelabDataCentre/dds_web/blob/dev/docs/procedures/new_release.md)
 
-## 2. Jira task / GitHub issue
+### Summary
 
-**Is this a GitHub issue?** --> Add the link to the github issue
+_Describe what the PR changes and why._
 
-**Is this from a Jira task?** --> If your branch does not contain info regarding the Jira task ID, put it here.
+### Related Issue/Ticket
 
-## 3. Type of change - Add label
+_Link GitHub issue or provide Jira ID._
 
-- [ ] Add a label to the PR. See [here](../docs/procedures/labelling_a_pull_request.md) for information on the labelling options.
+### Testing
 
-## 4. Additional information
+_If applicable: How did you verify the change? Include commands, data, or screenshots._
 
-- [ ] I have added an entry to the [Sprintlog](../SPRINTLOG.md)
-- [ ] This is a PR to the `master` branch: _If checked, read [the release instructions](../docs/procedures/new_release.md)_ <!-- Check this if the PR is made to the `master` branch. Only the `dev` branch should be doing this. -->
-  - [ ] I have followed steps 1-9. <!-- Should be checked if the "PR to `master` branch" box is checked AND the specified steps in the release instructions have been followed. -->
+### Reviewer Notes
+
+_Anything that helps reviewers (e.g. areas needing close attention)._
+
+---
+
+Once all boxes are checked, mark the PR as **Ready for Review** and tag at least one team member as the initial reviewer.
@@ -1,6 +1,25 @@
 Changelog
 ==========
 
+.. _2.13.1:
+
+2.13.1 - 2025-09-22
+~~~~~~~~~~~~~~~~~~~~
+
+- 🐛 Bug Fixes
+    - Disable autoflush on project creation and assure no duplicate public ID
+    - Fix bug: Users should be able to release once and extend twice
+- 📄 Documentation
+    - Correct key access swagger references 
+- 🛡️ Dependencies
+    - Bump node packages using `npm audit fix`
+    - Bump python packages to solve vulnerabilities:
+        - `cryptography` from 42.0.4 to 44.0.1
+        - `dnspython` from 2.2.0 to 2.6.1
+        - `idna` from 3.3 to 3.7
+        - `Pillow` from 10.2.0 to 10.3.0
+        - `requests` from 2.32.0 to 2.32.4
+
 .. _2.13.0:
 
 2.13.0 - 2025-08-25
 
@@ -520,3 +520,18 @@ _Nothing merged during this sprint_
 - Move instructions on how to solve failing actions / workflows to the workflow files ([#1620](https://github.com/ScilifelabDataCentre/dds_web/pull/1620/))
 - Added ADR for Queue solution ([#1625](https://github.com/ScilifelabDataCentre/dds_web/pull/1625))
 - New version: 2.13.0 ([#1627](https://github.com/ScilifelabDataCentre/dds_web/pull/1627))
+- Bug: Users should be able to release once and extend twice ([#1630](https://github.com/ScilifelabDataCentre/dds_web/pull/1630))
+
+# 2025-09-01 - 2025-09-12
+
+- Disable autoflush on project creation and assure no duplicate public ID ([#1626](https://github.com/ScilifelabDataCentre/dds_web/pull/1626))
+- Bump node libraries and python dependencies to solve vulnerabilities ([#1640](https://github.com/ScilifelabDataCentre/dds_web/pull/1640)):
+  - `dnspython` from 2.2.0 to 2.6.1
+  - `idna` from 3.3 to 3.7
+  - `Pillow` from 10.2.0 to 10.3.0
+  - `requests` from 2.32.0 to 2.32.4
+
+## 2025-09-15 - 2025-09-26
+
+- Bump cryptography library from 42.0.4 to 44.0.1 to solve vulnerabities ([#1640](https://github.com/ScilifelabDataCentre/dds_web/pull/1640))
+- New version: 2.13.1 ([#1647](https://github.com/ScilifelabDataCentre/dds_web/pull/1647))
@@ -50,6 +50,16 @@
 from dds_web.security.auth import get_user_roles_common
 from dds_web.api.files import check_eligibility_for_deletion
 
+####################################################################################################
+# CONSTANTS ############################################################################ CONSTANTS #
+####################################################################################################
+
+# Maximum number of times a project deadline can be extended
+MAX_DEADLINE_EXTENSIONS = 2
+
+# Maximum number of times a project can be released after having expired
+MAX_RELEASES_FROM_EXPIRED = 3
+
 
 ####################################################################################################
 # ENDPOINTS ############################################################################ ENDPOINTS #
@@ -214,7 +224,15 @@ def post(self):
     @handle_validation_errors
     @handle_db_error
     def patch(self):
-        """Partially update a the project status"""
+        """
+        Use to extend the project deadline of a project.
+
+        It works by faking an expiration and re-releasing the project.
+        Therefore it consumes one of the times that a project can be released after having expired.
+
+        Available --> Expired --> Available
+
+        """
         # Get project ID, project and verify access
         project_id = dds_web.utils.get_required_item(obj=flask.request.args, req="project")
         project = dds_web.utils.collect_project(project_id=project_id)
@@ -223,11 +241,9 @@ def patch(self):
         # Get json input from request
         json_input = flask.request.get_json(silent=True)  # Already checked by json_required
 
-        # A project can have the expired status 3 times
-        # It can be released / extended 3 times
-        # If more attempts --> cannot be extended again
-        # will be automatically archived by the system
-        if project.times_expired > 3:
+        # A project can have the deadline extended a maximum of MAX_DEADLINE_EXTENSIONS
+        # If more attempts occur, the deadline cannot be extended again.
+        if project.times_expired >= MAX_DEADLINE_EXTENSIONS:
             raise DDSArgumentError(
                 "Project availability limit: The maximum number of changes in data availability has been reached."
             )
@@ -401,10 +417,10 @@ def release_project(
             days=deadline_in
         )
 
-        # Project can only MOVE FROM Expired 2 times
-        # but can BE IN Exired 3 times
+        # Project can only MOVE FROM Expired to Available
+        # MAX_RELEASES_FROM_EXPIRED times
         if project.current_status == "Expired":
-            if project.times_expired > 3:
+            if project.times_expired >= MAX_RELEASES_FROM_EXPIRED:
                 raise DDSArgumentError(
                     "Project availability limit: Project cannot be made Available any more times"
                 )
@@ -569,7 +585,7 @@ def queue_helper_function_update_proj_status(
         new_status: str,
         aborted: bool = False,
     ):
-        """When the delete contents operation has being sucesfully executed. Perform the update in the DB.
+        """When the delete contents operation has been successfully executed, perform the update in the DB.
         Function ONLY to be called by the queue.
         """
 
@@ -611,7 +627,7 @@ def delete_project_info(self, proj):
 
 
 class GetPublic(flask_restful.Resource):
-    """Gets the public key beloning to the current project."""
+    """Gets the public key belonging to the current project."""
 
     @auth.login_required(role=["Unit Admin", "Unit Personnel", "Project Owner", "Researcher"])
     @logging_bind_request
 
@@ -16,7 +16,7 @@
 
 # Own modules
 from dds_web import errors as ddserr
-from dds_web import auth
+from dds_web import auth, db
 from dds_web.database import models
 from dds_web.api import api_s3_connector
 from dds_web.api.schemas import sqlalchemyautoschemas
@@ -137,37 +137,51 @@ def generate_bucketname(self, public_id, created_time):
     def create_project(self, data, **kwargs):
         """Create project row in db."""
 
-        # Lock db, get unit row and update counter
-        unit_row = (
-            models.Unit.query.filter_by(id=auth.current_user().unit_id)
-            .with_for_update()
-            .one_or_none()
-        )
-        if not unit_row:
-            raise ddserr.AccessDeniedError(message="Error: Your user is not associated to a unit.")
-
-        unit_row.counter = unit_row.counter + 1 if unit_row.counter else 1
-        data["public_id"] = "{}{:05d}".format(unit_row.internal_ref, unit_row.counter)
-
-        # Generate bucket name
-        data["bucket"] = self.generate_bucketname(
-            public_id=data["public_id"], created_time=data["date_created"]
-        )
+        with db.session.no_autoflush:
+            # Lock db, get unit row and update counter
+            unit_row = (
+                models.Unit.query.filter_by(id=auth.current_user().unit_id)
+                .with_for_update()
+                .one_or_none()
+            )
+            if not unit_row:
+                raise ddserr.DatabaseError(
+                    message="Error: Your account is not associated to a unit. Contact the Data Centre.",
+                    pass_message=True,
+                )
 
-        # Create project
-        current_user = auth.current_user()
-        new_project = models.Project(
-            **{**data, "unit_id": current_user.unit.id, "created_by": current_user.username}
-        )
-        new_project.project_statuses.append(
-            models.ProjectStatuses(
-                **{
-                    "status": "In Progress",
-                    "date_created": data["date_created"],
-                }
+            if unit_row.counter is None:
+                unit_row.counter = 0
+
+            # Check if public_id of the project already exists
+            duplicate_public_id = True
+            while duplicate_public_id:
+                unit_row.counter += 1
+                elected_public_id = "{}{:05d}".format(unit_row.internal_ref, unit_row.counter)
+                if not models.Project.query.filter_by(public_id=elected_public_id).first():
+                    data["public_id"] = elected_public_id
+                    # Generate bucket name
+                    data["bucket"] = self.generate_bucketname(
+                        public_id=data["public_id"], created_time=data["date_created"]
+                    )
+                    duplicate_public_id = False
+
+            # Create project
+            current_user = auth.current_user()
+            new_project = models.Project(
+                **{**data, "unit_id": current_user.unit.id, "created_by": current_user.username}
             )
-        )
-        generate_project_key_pair(current_user, new_project)
+            new_project.project_statuses.append(
+                models.ProjectStatuses(
+                    **{
+                        "status": "In Progress",
+                        "date_created": data["date_created"],
+                    }
+                )
+            )
+
+            generate_project_key_pair(current_user, new_project)
+            db.session.flush()
 
         return new_project
 
 
@@ -64,7 +64,7 @@ def post(self):
         if not dds_web.utils.valid_user_role(specified_role=role):
             raise ddserr.DDSArgumentError(message="Invalid user role.")
 
-        # Unit only changable for Super Admin invites
+        # Unit only changeable for Super Admin invites
         unit = json_info.get("unit") if auth.current_user().role == "Super Admin" else None
 
         # A project may or may not be specified
@@ -88,7 +88,7 @@ def post(self):
             db.session.rollback()
             raise ddserr.DatabaseError(
                 message=str(err),
-                alt_message="Something happened while checking for existig account / active invite.",
+                alt_message="Something happened while checking for existing account / active invite.",
                 pass_message=False,
             )
 
@@ -211,7 +211,7 @@ def invite_user(email, new_user_role, project=None, unit=None):
                 if unit:
                     unit_row = models.Unit.query.filter_by(public_id=unit).one_or_none()
                     if not unit_row:
-                        raise ddserr.DDSArgumentError(message="Invalid unit publid id.")
+                        raise ddserr.DDSArgumentError(message="Invalid unit public id.")
 
                     unit_row.invites.append(new_invite)
                     goahead = True
 
@@ -151,6 +151,7 @@ class DatabaseError(LoggedHTTPException):
     """Baseclass for database related issues."""
 
     code = http.HTTPStatus.INTERNAL_SERVER_ERROR
+    description = "The system encountered an error in the database."
 
     def __init__(
         self,
@@ -164,11 +165,7 @@ def __init__(
         if project:
             structlog.threadlocal.bind_threadlocal(project=project)
 
-        super().__init__(
-            (alt_message or "The system encountered an error in the database.")
-            if not pass_message
-            else message
-        )
+        super().__init__((alt_message or self.description) if not pass_message else message)
 
 
 class EmptyProjectException(LoggedHTTPException):