Update PROJECTS_ENABLED to use middleware for url blocking (#4526)

This PR introduces a runtime approach to controlling access to the
Projects feature based on the `PROJECTS_ENABLED` setting. Rather than
conditionally registering URL patterns, a new middleware is implemented
to handle access control to project-related URLs at request time. This
change improves the reliability of the feature toggle system and avoids
potential issues with module loading order and settings configuration.

## 💡 Implementation Details

The middleware works by resolving the current URL path and checking if
it belongs to a "projects" namespace. When the `PROJECTS_ENABLED`
setting is `False` and a user attempts to access a projects-related URL,
they'll receive a 404 error instead of seeing the projects
functionality.

This approach improves upon the previous implementation by:

1. Separating the concerns of URL registration and feature availability
2. Avoiding potential race conditions or initialization issues
3. Providing a more consistent user experience when the feature is
disabled

## 👀 Areas for Review Attention

- Middleware ordering in the settings file - is this the optimal
position?
- Performance impact of URL resolution for every request
- Handling of nested namespaces containing "projects"

Closes #4514

Author: theskumar

hypha/apply/funds/urls.py

@@ -1,4 +1,3 @@
-from django.conf import settings
 from django.urls import include, path
 from django.views.generic import RedirectView
 
@@ -280,9 +279,5 @@
 urlpatterns = [
     path("submissions/", include(submission_urls)),
     path("rounds/", include(rounds_urls)),
+    path("projects/", include(projects_urls)),
 ]
-
-if settings.PROJECTS_ENABLED:
-    urlpatterns += [
-        path("projects/", include(projects_urls)),
-    ]

hypha/apply/projects/middleware.py

@@ -0,0 +1,32 @@
+from django.conf import settings
+from django.http import Http404
+from django.urls import Resolver404, resolve
+
+
+class ProjectsEnabledMiddleware:
+    """
+    Middleware to control access to project urls based on PROJECTS_ENABLED setting.
+
+    This makes the decision at runtime rather than at URL pattern registration time,
+    avoiding potential issues with module loading order and settings configuration.
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        # Skip processing if PROJECTS_ENABLED is true
+        if settings.PROJECTS_ENABLED:
+            return self.get_response(request)
+
+        # Check if the current URL is in the projects namespace
+        try:
+            resolver_match = resolve(request.path)
+            if "projects" in getattr(resolver_match, "namespaces", []):
+                raise Http404("Projects functionality is disabled")
+        except Resolver404:
+            # Not a URL we can resolve, let Django handle it
+            pass
+
+        # Continue processing the request
+        return self.get_response(request)

hypha/apply/projects/tests/test_middleware.py

@@ -0,0 +1,115 @@
+from unittest.mock import Mock, patch
+
+import pytest
+from django.http import Http404
+from django.urls import Resolver404
+
+from hypha.apply.projects.middleware import ProjectsEnabledMiddleware
+
+
+@pytest.fixture
+def middleware():
+    get_response_mock = Mock()
+    return ProjectsEnabledMiddleware(get_response_mock), get_response_mock
+
+
+@pytest.mark.parametrize(
+    "projects_enabled,namespaces,path,should_raise_404",
+    [
+        # When projects are enabled, project URLs are accessible
+        (True, ["projects"], "/projects/some/path/", False),
+        # When projects are disabled, project URLs raise Http404
+        (False, ["projects"], "/projects/some/path/", True),
+        # When projects are disabled, non-project URLs are still accessible
+        (False, ["submissions"], "/submissions/path/", False),
+        # Nested projects namespaces are properly handled
+        (False, ["funds", "projects"], "/funds/projects/some/path/", True),
+        # Projects in nested namespaces are accessible when enabled
+        (True, ["funds", "projects"], "/funds/projects/some/path/", False),
+    ],
+)
+def test_projects_middleware_access_control(
+    middleware, rf, settings, projects_enabled, namespaces, path, should_raise_404
+):
+    """
+    Test that middleware controls access to project URLs based on settings.PROJECTS_ENABLED
+    """
+    # Setup
+    settings.PROJECTS_ENABLED = projects_enabled
+    middleware_instance, get_response_mock = middleware
+    request = rf.get(path)
+
+    with patch("hypha.apply.projects.middleware.resolve") as mock_resolve:
+        resolver_match = Mock(namespaces=namespaces, url_name="project-detail")
+        mock_resolve.return_value = resolver_match
+
+        # Execute
+        if should_raise_404:
+            with pytest.raises(Http404) as excinfo:
+                middleware_instance(request)
+            assert str(excinfo.value) == "Projects functionality is disabled"
+            get_response_mock.assert_not_called()
+        else:
+            response = middleware_instance(request)
+            get_response_mock.assert_called_once_with(request)
+            assert response == get_response_mock.return_value
+
+        # Verify resolve was called only if projects are disabled
+        if projects_enabled:
+            mock_resolve.assert_not_called()
+        else:
+            mock_resolve.assert_called_once_with(request.path)
+
+
+def test_resolver404_passes_through(middleware, rf, settings):
+    """
+    Test that Resolver404 exceptions are caught and handled properly
+    (letting Django handle them as it normally would).
+    """
+    middleware_instance, get_response_mock = middleware
+    request = rf.get("/nonexistent/path/")
+
+    settings.PROJECTS_ENABLED = False
+
+    with patch("hypha.apply.projects.middleware.resolve") as mock_resolve:
+        mock_resolve.side_effect = Resolver404()
+
+        response = middleware_instance(request)
+
+        mock_resolve.assert_called_once_with(request.path)
+        get_response_mock.assert_called_once_with(request)
+        assert response == get_response_mock.return_value
+
+
+@pytest.mark.parametrize(
+    "namespaces_value",
+    [
+        # Empty namespaces list
+        [],
+        # No namespaces attribute
+        None,
+    ],
+)
+def test_non_project_routes_allowed(middleware, rf, settings, namespaces_value):
+    """
+    Test that URLs with no namespaces or no namespaces attribute are allowed through.
+    """
+    settings.PROJECTS_ENABLED = False  # Even when projects are disabled
+    middleware_instance, get_response_mock = middleware
+    request = rf.get("/some/path/")
+
+    with patch("hypha.apply.projects.middleware.resolve") as mock_resolve:
+        if namespaces_value is None:
+            # Create a mock without namespaces attribute
+            resolver_match = Mock(spec=["url_name"])
+        else:
+            resolver_match = Mock()
+            resolver_match.namespaces = namespaces_value
+
+        mock_resolve.return_value = resolver_match
+
+        response = middleware_instance(request)
+
+        mock_resolve.assert_called_once_with(request.path)
+        get_response_mock.assert_called_once_with(request)
+        assert response == get_response_mock.return_value

hypha/settings/django.py

@@ -95,6 +95,7 @@
     "hypha.apply.middleware.HandleProtectionErrorMiddleware",
     "django_htmx.middleware.HtmxMiddleware",
     "hypha.core.middleware.htmx.HtmxMessageMiddleware",
+    "hypha.apply.projects.middleware.ProjectsEnabledMiddleware",
 ]
 
 # Logging