Merge pull request #324 from OpenMS/claude/freeze-workshop-demo-feature-ZzPh9

t0mdavid-m · web-flow · commit 8e2a34d071e1 · 2026-01-28T12:00:58.000+01:00
Add admin functionality to save workspaces as demo templates
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,4 @@ python*
 **/__pycache__/
 gdpr_consent/node_modules/
 *~
+.streamlit/secrets.toml
diff --git a/.streamlit/secrets.toml.example b/.streamlit/secrets.toml.example
@@ -0,0 +1,8 @@
+# Streamlit Secrets Configuration
+# Copy this file to secrets.toml and fill in your values.
+# IMPORTANT: Never commit secrets.toml to version control!
+
+[admin]
+# Password required to save workspaces as demo workspaces (online mode only)
+# Set a strong, unique password here
+password = "your-secure-admin-password-here"
diff --git a/src/common/admin.py b/src/common/admin.py
@@ -0,0 +1,151 @@
+"""
+Admin utilities for the Streamlit template.
+
+Provides functionality for admin-only operations like saving workspaces as demos.
+"""
+
+import hmac
+import shutil
+from pathlib import Path
+
+import streamlit as st
+
+
+def is_admin_configured() -> bool:
+    """
+    Check if admin password is configured in Streamlit secrets.
+
+    Returns:
+        bool: True if admin password is configured, False otherwise.
+    """
+    try:
+        return bool(st.secrets.get("admin", {}).get("password"))
+    except (FileNotFoundError, KeyError):
+        return False
+
+
+def verify_admin_password(password: str) -> bool:
+    """
+    Verify the provided password against the configured admin password.
+
+    Uses constant-time comparison to prevent timing attacks.
+
+    Args:
+        password: The password to verify.
+
+    Returns:
+        bool: True if password matches, False otherwise.
+    """
+    if not is_admin_configured():
+        return False
+
+    try:
+        stored_password = st.secrets["admin"]["password"]
+        # Use constant-time comparison for security
+        return hmac.compare_digest(password, stored_password)
+    except (FileNotFoundError, KeyError):
+        return False
+
+
+def get_demo_target_dir() -> Path:
+    """
+    Get the directory where demo workspaces are stored.
+
+    Returns:
+        Path: The demo workspaces directory.
+    """
+    return Path("example-data/workspaces")
+
+
+def demo_exists(demo_name: str) -> bool:
+    """
+    Check if a demo workspace with the given name already exists.
+
+    Args:
+        demo_name: Name of the demo to check.
+
+    Returns:
+        bool: True if demo exists, False otherwise.
+    """
+    target_dir = get_demo_target_dir()
+    demo_path = target_dir / demo_name
+    return demo_path.exists()
+
+
+def _remove_directory_with_symlinks(path: Path) -> None:
+    """
+    Remove a directory that may contain symlinks.
+
+    Handles symlinks properly by removing them without following.
+
+    Args:
+        path: Path to the directory to remove.
+    """
+    if not path.exists():
+        return
+
+    for item in path.rglob("*"):
+        if item.is_symlink():
+            item.unlink()
+
+    # Now remove the rest normally
+    if path.exists():
+        shutil.rmtree(path)
+
+
+def save_workspace_as_demo(workspace_path: Path, demo_name: str) -> tuple[bool, str]:
+    """
+    Save the current workspace as a demo workspace.
+
+    Copies all files from the workspace to the demo directory, following symlinks
+    to copy actual file contents rather than symlink references.
+
+    Args:
+        workspace_path: Path to the source workspace.
+        demo_name: Name for the new demo workspace.
+
+    Returns:
+        tuple[bool, str]: (success, message) tuple indicating result.
+    """
+    # Deferred import to avoid circular dependency with common.py
+    from src.common.common import is_safe_workspace_name
+
+    # Validate demo name
+    if not demo_name:
+        return False, "Demo name cannot be empty."
+
+    if not is_safe_workspace_name(demo_name):
+        return False, "Invalid demo name. Avoid path separators and special characters."
+
+    # Validate source workspace exists
+    if not workspace_path.exists():
+        return False, "Source workspace does not exist."
+
+    # Get target directory
+    target_dir = get_demo_target_dir()
+    demo_path = target_dir / demo_name
+
+    try:
+        # Ensure parent directory exists
+        target_dir.mkdir(parents=True, exist_ok=True)
+
+        # Remove existing demo if it exists (handles symlinks properly)
+        if demo_path.exists():
+            _remove_directory_with_symlinks(demo_path)
+
+        # Copy workspace to demo directory, following symlinks to get actual files
+        shutil.copytree(
+            workspace_path,
+            demo_path,
+            symlinks=False,  # Follow symlinks, copy actual files
+            dirs_exist_ok=False
+        )
+
+        return True, f"Workspace saved as demo '{demo_name}' successfully."
+
+    except PermissionError:
+        return False, "Permission denied. Cannot write to demo directory."
+    except OSError as e:
+        return False, f"Failed to save demo: {str(e)}"
+    except Exception as e:
+        return False, f"Unexpected error: {str(e)}"
diff --git a/src/common/common.py b/src/common/common.py
@@ -21,6 +21,12 @@
     TK_AVAILABLE = False
 
 from src.common.captcha_ import captcha_control
+from src.common.admin import (
+    is_admin_configured,
+    verify_admin_password,
+    demo_exists,
+    save_workspace_as_demo,
+)
 
 # Detect system platform
 OS_PLATFORM = sys.platform
@@ -624,6 +630,74 @@ def change_workspace():
                                 time.sleep(1)
                                 st.rerun()
 
+                # Save as Demo section (online mode only)
+                with st.expander("💾 **Save as Demo**"):
+                    st.caption("Save current workspace as a demo for others to use")
+
+                    demo_name_input = st.text_input(
+                        "Demo name",
+                        key="save-demo-name",
+                        placeholder="e.g., workshop-2024",
+                        help="Name for the demo workspace (no spaces or special characters)"
+                    )
+
+                    # Check if demo already exists
+                    demo_name_clean = demo_name_input.strip() if demo_name_input else ""
+                    existing_demo = demo_exists(demo_name_clean) if demo_name_clean else False
+
+                    if existing_demo:
+                        st.warning(f"Demo '{demo_name_clean}' already exists and will be overwritten.")
+                        confirm_overwrite = st.checkbox(
+                            "Confirm overwrite",
+                            key="confirm-demo-overwrite"
+                        )
+                    else:
+                        confirm_overwrite = True  # No confirmation needed for new demos
+
+                    if st.button("Save as Demo", key="save-demo-btn", disabled=not demo_name_clean):
+                        if not is_admin_configured():
+                            st.error(
+                                "Admin not configured. Create `.streamlit/secrets.toml` with "
+                                "an `[admin]` section containing `password = \"your-password\"`"
+                            )
+                        elif existing_demo and not confirm_overwrite:
+                            st.error("Please confirm overwrite to continue.")
+                        else:
+                            # Show password dialog
+                            st.session_state["show_admin_password_dialog"] = True
+
+                    # Password dialog (shown after clicking Save as Demo)
+                    if st.session_state.get("show_admin_password_dialog", False):
+                        admin_password = st.text_input(
+                            "Admin password",
+                            type="password",
+                            key="admin-password-input",
+                            help="Enter the admin password to save this workspace as a demo"
+                        )
+
+                        col1, col2 = st.columns(2)
+                        with col1:
+                            if st.button("Confirm", key="confirm-save-demo"):
+                                if verify_admin_password(admin_password):
+                                    success, message = save_workspace_as_demo(
+                                        st.session_state.workspace,
+                                        demo_name_clean
+                                    )
+                                    if success:
+                                        st.success(message)
+                                        st.session_state["show_admin_password_dialog"] = False
+                                        time.sleep(1)
+                                        st.rerun()
+                                    else:
+                                        st.error(message)
+                                else:
+                                    st.error("Invalid admin password.")
+
+                        with col2:
+                            if st.button("Cancel", key="cancel-save-demo"):
+                                st.session_state["show_admin_password_dialog"] = False
+                                st.rerun()
+
         # All pages have settings, workflow indicator and logo
         with st.expander("⚙️ **Settings**"):
             img_formats = ["svg", "png", "jpeg", "webp"]
