Downloads API (v1) returns release files for "hidden" releases

[jaap3]

While trying to recreate a realistic downloads section for local pythondotorg development I noticed that the following.

The API v1 downloads release_file endpoint lists a number of files that refer to a release that seems to be hidden:

• Release file ids 2012-2022 refer to release id 265
• Release file ids 2058-2062) refer to release id 268

Accessing these release endpoins results in a 401 Unauthorized response.

I'm not sure what's the cause of this, but it seems that these files should not be listed (publicly) if the release is made unavailable.

[jaap3]

On a slightly related note, it seems that API v2 is not available (publicly) yet? e.g. accessing v2 urls results in a 404.

[berkerpeksag]

Correct, this is a known issue. I didn't want to change the behavior when I wrote API v2:

pythondotorg/downloads/tests/test_views.py

Lines 424 to 432 in 4135738

	# Files for a draft release should be shown to users.
	# TODO: We may deprecate this behavior when we drop API v1.
	response = self.client.get(
	self.create_url('release_file', filters={'release': self.draft_release.pk})
	)
	self.assertFalse(self.draft_release.is_published)
	self.assertEqual(response.status_code, 200)
	content = self.get_json(response)
	self.assertEqual(len(content), 1)

On a slightly related note, it seems that API v2 is not available (publicly) yet?

Correct, it isn't deployed yet.