From 24921ac746a8185578264fe47042997b7e088ebf Mon Sep 17 00:00:00 2001
From: "John N. Milner" <john@tmoj.net>
Date: Tue, 30 Jan 2024 13:26:43 -0500
Subject: [PATCH 1/3] Remove trailing whitespace

---
 .../logger/migrations/0034_set_require_auth_at_project_level.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py b/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py
index 652bc7dd6..d768356cb 100644
--- a/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py
+++ b/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py
@@ -49,7 +49,7 @@ def restore_open_rosa_server_in_redis(apps, schema_editor):
         lua_script = f"""
             local keys = {{"{lua_keys}"}}
             for _, key in ipairs(keys) do
-                local redis_real_key = string.sub(key, 1, string.find(key, '|') - 1) 
+                local redis_real_key = string.sub(key, 1, string.find(key, '|') - 1)
                 local username = string.sub(key, string.find(key, '|') + 1, string.len(key))
                 local ee_id = redis.call('get', redis_real_key)
                 if ee_id then

From 3eadcad00ee041abdafd71f76e2bfb151117a154 Mon Sep 17 00:00:00 2001
From: "John N. Milner" <john@tmoj.net>
Date: Tue, 30 Jan 2024 13:28:42 -0500
Subject: [PATCH 2/3] =?UTF-8?q?Update=20backward=20migration=20message?=
 =?UTF-8?q?=E2=80=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

when going from project-level to account-level anonymous submission
permissions
---
 .../0034_set_require_auth_at_project_level.py | 41 +++++++++++--------
 1 file changed, 25 insertions(+), 16 deletions(-)

diff --git a/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py b/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py
index d768356cb..8558255a7 100644
--- a/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py
+++ b/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py
@@ -67,25 +67,34 @@ def restore_require_auth_at_profile_level(apps, schema_editor):
 
     print(
         """
-        Restoring authentication at the profile level cannot be done 
-        automatically. 
-        
-        This is an example of what can be done:
-        ⚠️ WARNING ⚠️ The example below makes all projects publicly 
-        accessible when profile level is restored even if, at least, one project
-        was publicly accessible at project level.
-        
-        ```python
-        UserProfile.objects.filter(
-            user_id__in=XForm.objects.filter(require_auth=False).values_list(
-                'user_id'
-            )
-        ).update(require_auth=False)
-        XForm.objects.filter(require_auth=True).update(require_auth=False)
-        ```
+        You are migrating backwards from project-level control of anonymous
+        submissions to account-level control.
+
+        If you want to allow anonymous submissions again for existing accounts,
+        you must enable that manually, either in the user profile settings UI
+        of the KPI application, or by running commands in the KoboCAT Django
+        shell to set `require_auth=False` on the `UserProfile` instances
+        belonging to the desired accounts.
         """
     )
 
+    # For those savvy enough to read the code here, offer an example of how to
+    # set `require_auth=False` for all accounts having at least one *project*
+    # that allowed anonymous submissions.
+    # ⚠️ This is DANGEROUS because it potentially allows anonymous submissions
+    # (and anonymous viewing of the form) for projects where it was *not*
+    # previously allowed, e.g. an owner having 1 anonymous-allowed project and
+    # 99 private ones would have all 100 projects exposed.
+    #
+    #     UserProfile.objects.filter(
+    #         user_id__in=XForm.objects.filter(require_auth=False).values_list(
+    #             'user_id'
+    #         )
+    #     ).update(require_auth=False)
+    #     # Since `require_auth` at project level no longer does anything,
+    #     # remove misleading values
+    #     XForm.objects.filter(require_auth=True).update(require_auth=False)
+
 
 def set_require_auth_at_project_level(apps, schema_editor):
 

From e5e43bbb2050aed889160c7078df229ec5fc97d6 Mon Sep 17 00:00:00 2001
From: Olivier Leger <olivierleger@gmail.com>
Date: Wed, 7 Feb 2024 18:03:40 -0500
Subject: [PATCH 3/3] Fix wrong filter to target XForm which require auth

---
 .../logger/migrations/0034_set_require_auth_at_project_level.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py b/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py
index 652bc7dd6..c7e45f7f5 100644
--- a/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py
+++ b/onadata/apps/logger/migrations/0034_set_require_auth_at_project_level.py
@@ -122,7 +122,7 @@ def update_open_rosa_server_in_redis(apps, schema_editor):
     server_url = settings.KOBOCAT_URL.strip('/')
 
     xforms_iter = (
-        XForm.objects.filter(user__profile__require_auth=False)
+        XForm.objects.filter(require_auth=True)
         .values('id_string', 'user__username')
         .iterator(chunk_size=CHUNK_SIZE)
     )