From c47481a2ecd546ce0b357d67482f261e0d68910d Mon Sep 17 00:00:00 2001
From: Matt Frazier <maf7sm@virginia.edu>
Date: Mon, 8 Jul 2024 13:21:17 -0400
Subject: [PATCH 01/11] Update CHANGELOG, bump version

---
 CHANGELOG    | 11 ++++++++++-
 package.json |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 1db53b2d592..cb59936325a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,7 +2,16 @@
 
 We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO.
 
-24.01.0 (2024-04-30)
+24.03.0 (2024-07-08)
+====================
+- Allow AbstractProviders to specify Discover page presence
+- Update get_auth
+- Expand Addons Service support functionality, waffled
+- Set default Resource Type General for Registrations
+- Bug fix: Archiver Unicode edge cases
+- Bug fix: RelationshipField during project creation
+
+24.02.0 (2024-04-30)
 ====================
 - Initial Addons Service work, Waffled
 - Improve default `description` for Google Dataset Discovery
diff --git a/package.json b/package.json
index d95254712c5..4a59f79fe4f 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "OSF",
-  "version": "24.02.0",
+  "version": "24.03.0",
   "description": "Facilitating Open Science",
   "repository": "https://github.com/CenterForOpenScience/osf.io",
   "author": "Center for Open Science",

From ed3fadd77e0f7f005ab45b6e0d968dfc4af16136 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Mon, 8 Jul 2024 14:19:38 -0400
Subject: [PATCH 02/11] [ENG-5030] Preprints Phase 2 - BE (#10617)

* Add original_publication_citation to preprints model and serializer

* Fix an issue where original_publication_citation was not updated

* Add unit tests

* Respond to CR:

* Rename original_publication_citation to custom_publication_citation
* Redo migration

* Redo migrations

* Update preprints to route to EOW

* Remvoe the use of preprints_dir

* Add self link and view for preprint subjects relationship (#10619)

* add self link and view for preprint subjects relationship

* Fix permissions issue

* Add required write scopes

---------

Co-authored-by: Brian J. Geiger <bgeiger@pobox.com>

* Get root_folder for preprints (#10630)

## Purpose

Make it so preprints api serialization has a root_folder

## Changes

1. Modify the view to get the root_folder in the case of preprints

## Side Effects

Should only affect preprints

## Ticket

https://openscience.atlassian.net/browse/ENG-5716

---------

Co-authored-by: Yuhuai Liu <yuhuai@cos.io>
Co-authored-by: Brian J. Geiger <bgeiger@pobox.com>
Co-authored-by: Brian J. Geiger <bgeiger@cos.io>
---
 api/nodes/views.py                            |  9 ++++-
 api/preprints/serializers.py                  | 10 ++++++
 api/preprints/urls.py                         |  1 +
 api/preprints/views.py                        | 33 ++++++++++++++++++-
 .../preprints/views/test_preprint_detail.py   | 23 +++++++++++++
 ...21_preprint_custom_publication_citation.py | 18 ++++++++++
 osf/models/preprint.py                        |  1 +
 website/routes.py                             | 10 +-----
 website/views.py                              |  3 --
 9 files changed, 94 insertions(+), 14 deletions(-)
 create mode 100644 osf/migrations/0021_preprint_custom_publication_citation.py

diff --git a/api/nodes/views.py b/api/nodes/views.py
index 23777b677b9..dae613cf868 100644
--- a/api/nodes/views.py
+++ b/api/nodes/views.py
@@ -153,6 +153,7 @@
     File,
     Folder,
     CedarMetadataRecord,
+    Preprint,
 )
 from addons.osfstorage.models import Region
 from osf.utils.permissions import ADMIN, WRITE_NODE
@@ -1481,12 +1482,18 @@ def __init__(self, node, provider_name, storage_addon=None):
         self.node_id = node._id
         self.pk = node._id
         self.id = node.id
-        self.root_folder = storage_addon.root_node if storage_addon else None
+        self.root_folder = self._get_root_folder(storage_addon)
 
     @property
     def target(self):
         return self.node
 
+    def _get_root_folder(self, storage_addon):
+        if isinstance(self.target, Preprint):
+            return self.target.root_folder
+        else:
+            return storage_addon.root_node if storage_addon else None
+
 class NodeStorageProvidersList(JSONAPIBaseView, generics.ListAPIView, NodeMixin):
     """The documentation for this endpoint can be found [here](https://developer.osf.io/#operation/nodes_providers_list).
     """
diff --git a/api/preprints/serializers.py b/api/preprints/serializers.py
index 6a00e581f4d..146490862af 100644
--- a/api/preprints/serializers.py
+++ b/api/preprints/serializers.py
@@ -111,6 +111,7 @@ class PreprintSerializer(TaxonomizableSerializerMixin, MetricsSerializerMixin, J
     date_modified = VersionedDateTimeField(source='modified', read_only=True)
     date_published = VersionedDateTimeField(read_only=True)
     original_publication_date = VersionedDateTimeField(required=False, allow_null=True)
+    custom_publication_citation = ser.CharField(required=False, allow_blank=True, allow_null=True)
     doi = ser.CharField(source='article_doi', required=False, allow_null=True)
     title = ser.CharField(required=True, max_length=512)
     description = ser.CharField(required=False, allow_blank=True, allow_null=True)
@@ -222,6 +223,11 @@ def subjects_view_kwargs(self):
         # Overrides TaxonomizableSerializerMixin
         return {'preprint_id': '<_id>'}
 
+    @property
+    def subjects_self_view(self):
+        # Overrides TaxonomizableSerializerMixin
+        return 'preprints:preprint-relationships-subjects'
+
     def get_preprint_url(self, obj):
         return absolute_reverse('preprints:preprint-detail', kwargs={'preprint_id': obj._id, 'version': self.context['request'].parser_context['kwargs']['version']})
 
@@ -326,6 +332,10 @@ def update(self, preprint, validated_data):
             preprint.original_publication_date = validated_data['original_publication_date'] or None
             save_preprint = True
 
+        if 'custom_publication_citation' in validated_data:
+            preprint.custom_publication_citation = validated_data['custom_publication_citation'] or None
+            save_preprint = True
+
         if 'has_coi' in validated_data:
             try:
                 preprint.update_has_coi(auth, validated_data['has_coi'])
diff --git a/api/preprints/urls.py b/api/preprints/urls.py
index 70c72d991f6..c8b48e6b1cd 100644
--- a/api/preprints/urls.py
+++ b/api/preprints/urls.py
@@ -16,6 +16,7 @@
     re_path(r'^(?P<preprint_id>\w+)/files/osfstorage/$', views.PreprintFilesList.as_view(), name=views.PreprintFilesList.view_name),
     re_path(r'^(?P<preprint_id>\w+)/identifiers/$', views.PreprintIdentifierList.as_view(), name=views.PreprintIdentifierList.view_name),
     re_path(r'^(?P<preprint_id>\w+)/relationships/node/$', views.PreprintNodeRelationship.as_view(), name=views.PreprintNodeRelationship.view_name),
+    re_path(r'^(?P<preprint_id>\w+)/relationships/subjects/$', views.PreprintSubjectsRelationship.as_view(), name=views.PreprintSubjectsRelationship.view_name),
     re_path(r'^(?P<preprint_id>\w+)/review_actions/$', views.PreprintActionList.as_view(), name=views.PreprintActionList.view_name),
     re_path(r'^(?P<preprint_id>\w+)/requests/$', views.PreprintRequestListCreate.as_view(), name=views.PreprintRequestListCreate.view_name),
     re_path(r'^(?P<preprint_id>\w+)/subjects/$', views.PreprintSubjectsList.as_view(), name=views.PreprintSubjectsList.view_name),
diff --git a/api/preprints/views.py b/api/preprints/views.py
index 08df330c7db..302b8623102 100644
--- a/api/preprints/views.py
+++ b/api/preprints/views.py
@@ -58,7 +58,7 @@
 from api.requests.permissions import PreprintRequestPermission
 from api.requests.serializers import PreprintRequestSerializer, PreprintRequestCreateSerializer
 from api.requests.views import PreprintRequestMixin
-from api.subjects.views import BaseResourceSubjectsList
+from api.subjects.views import BaseResourceSubjectsList, SubjectRelationshipBaseView
 from api.base.metrics import PreprintMetricsViewMixin
 from osf.metrics import PreprintDownload, PreprintView
 
@@ -456,6 +456,37 @@ class PreprintSubjectsList(BaseResourceSubjectsList, PreprintMixin):
     def get_resource(self):
         return self.get_preprint()
 
+
+class PreprintSubjectsRelationship(SubjectRelationshipBaseView, PreprintMixin):
+    """The documentation for this endpoint can be found [here](https://developer.osf.io/#operation/preprint_subjects_list).
+    """
+    permission_classes = (
+        drf_permissions.IsAuthenticatedOrReadOnly,
+        base_permissions.TokenHasScope,
+        ModeratorIfNeverPublicWithdrawn,
+        ContributorOrPublic,
+        PreprintPublishedOrWrite,
+    )
+
+    required_read_scopes = [CoreScopes.PREPRINTS_READ]
+    required_write_scopes = [CoreScopes.PREPRINTS_WRITE]
+
+    view_category = 'preprints'
+    view_name = 'preprint-relationships-subjects'
+
+    def get_resource(self, check_object_permissions=True):
+        return self.get_preprint(check_object_permissions=check_object_permissions)
+
+    def get_object(self):
+        resource = self.get_resource(check_object_permissions=False)
+        obj = {
+            'data': resource.subjects.all(),
+            'self': resource,
+        }
+        self.check_object_permissions(self.request, resource)
+        return obj
+
+
 class PreprintActionList(JSONAPIBaseView, generics.ListCreateAPIView, ListFilterMixin, PreprintMixin):
     """Action List *Read-only*
 
diff --git a/api_tests/preprints/views/test_preprint_detail.py b/api_tests/preprints/views/test_preprint_detail.py
index aca17d6901e..332aea74a6c 100644
--- a/api_tests/preprints/views/test_preprint_detail.py
+++ b/api_tests/preprints/views/test_preprint_detail.py
@@ -305,6 +305,19 @@ def test_update_original_publication_date_to_none(self, app, preprint, url):
         preprint.reload()
         assert preprint.original_publication_date is None
 
+    def test_update_custom_publication_citation_to_none(self, app, preprint, url):
+        write_contrib = AuthUserFactory()
+        preprint.add_contributor(write_contrib, WRITE, save=True)
+        preprint.custom_publication_citation = 'fake citation'
+        preprint.save()
+        update_payload = build_preprint_update_payload(
+            preprint._id, attributes={'custom_publication_citation': None}
+        )
+        res = app.patch_json_api(url, update_payload, auth=write_contrib.auth)
+        assert res.status_code == 200
+        preprint.reload()
+        assert preprint.custom_publication_citation is None
+
     @responses.activate
     @mock.patch('osf.models.preprint.update_or_enqueue_on_preprint_updated', mock.Mock())
     def test_update_preprint_permission_write_contrib(self, app, preprint, url):
@@ -536,6 +549,16 @@ def test_update_original_publication_date(self, app, user, preprint, url):
         preprint.reload()
         assert preprint.original_publication_date == date
 
+    def test_update_custom_publication_citation(self, app, user, preprint, url):
+        citation = 'fake citation'
+        update_payload = build_preprint_update_payload(
+            preprint._id, attributes={'custom_publication_citation': citation}
+        )
+        res = app.patch_json_api(url, update_payload, auth=user.auth)
+        assert res.status_code == 200
+        preprint.reload()
+        assert preprint.custom_publication_citation == citation
+
     @responses.activate
     @mock.patch('osf.models.preprint.update_or_enqueue_on_preprint_updated', mock.Mock())
     def test_update_article_doi(self, app, user, preprint, url):
diff --git a/osf/migrations/0021_preprint_custom_publication_citation.py b/osf/migrations/0021_preprint_custom_publication_citation.py
new file mode 100644
index 00000000000..678d3bd2192
--- /dev/null
+++ b/osf/migrations/0021_preprint_custom_publication_citation.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.17 on 2024-05-15 15:07
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('osf', '0020_abstractprovider_advertise_on_discover_page'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='preprint',
+            name='custom_publication_citation',
+            field=models.TextField(blank=True, null=True),
+        ),
+    ]
diff --git a/osf/models/preprint.py b/osf/models/preprint.py
index 428b334c853..0a188e9f28b 100644
--- a/osf/models/preprint.py
+++ b/osf/models/preprint.py
@@ -152,6 +152,7 @@ class Preprint(DirtyFieldsMixin, GuidMixin, IdentifierMixin, ReviewableMixin, Ba
     is_published = models.BooleanField(default=False, db_index=True)
     date_published = NonNaiveDateTimeField(null=True, blank=True)
     original_publication_date = NonNaiveDateTimeField(null=True, blank=True)
+    custom_publication_citation = models.TextField(null=True, blank=True)
     license = models.ForeignKey('osf.NodeLicenseRecord',
                                 on_delete=models.SET_NULL, null=True, blank=True)
 
diff --git a/website/routes.py b/website/routes.py
index 787fe2e367b..eb3f93fd186 100644
--- a/website/routes.py
+++ b/website/routes.py
@@ -261,15 +261,7 @@ def ember_app(path=None):
         if request.path.strip('/').startswith(k):
             ember_app = EXTERNAL_EMBER_APPS[k]
             if k == 'preprints':
-                if request.path.rstrip('/').endswith('edit'):
-                    # Route preprint edit pages to old preprint app
-                    ember_app = EXTERNAL_EMBER_APPS.get('preprints', False) or ember_app
-                elif request.path.rstrip('/').endswith('submit'):
-                    # Route preprint submit pages to old preprint app
-                    ember_app = EXTERNAL_EMBER_APPS.get('preprints', False) or ember_app
-                else:
-                    # Route other preprint pages to EOW
-                    ember_app = EXTERNAL_EMBER_APPS.get('ember_osf_web', False) or ember_app
+                ember_app = EXTERNAL_EMBER_APPS.get('ember_osf_web', False) or ember_app
             break
 
     if not ember_app:
diff --git a/website/views.py b/website/views.py
index adee1d27887..90fb285d499 100644
--- a/website/views.py
+++ b/website/views.py
@@ -38,7 +38,6 @@
 from api.waffle.utils import storage_i18n_flag_active
 
 logger = logging.getLogger(__name__)
-preprints_dir = os.path.abspath(os.path.join(os.getcwd(), EXTERNAL_EMBER_APPS['preprints']['path']))
 ember_osf_web_dir = os.path.abspath(os.path.join(os.getcwd(), EXTERNAL_EMBER_APPS['ember_osf_web']['path']))
 
 
@@ -332,8 +331,6 @@ def resolve_guid(guid, suffix=None):
     if isinstance(resource, Preprint):
         if resource.provider.domain_redirect_enabled:
             return redirect(resource.absolute_url, http_status.HTTP_301_MOVED_PERMANENTLY)
-        if clean_suffix.endswith('edit'):
-            return stream_emberapp(EXTERNAL_EMBER_APPS['preprints']['server'], preprints_dir)
         return use_ember_app()
 
     elif isinstance(resource, Registration) and (clean_suffix in ('', 'comments', 'links', 'components', 'resources',)) and waffle.flag_is_active(request, features.EMBER_REGISTRIES_DETAIL_PAGE):

From bdbcc63db293f1f51b970c0582de54918f9eacc3 Mon Sep 17 00:00:00 2001
From: Matt Frazier <maf7sm@virginia.edu>
Date: Mon, 8 Jul 2024 14:26:36 -0400
Subject: [PATCH 03/11] Update CHANGELOG, bump version

---
 CHANGELOG    | 4 ++++
 package.json | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index cb59936325a..f7b89a25aeb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,10 @@
 
 We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO.
 
+24.03.0 (2024-07-08)
+====================
+- Preprints into Ember OSF Web, Phase 2 Backend Release
+
 24.03.0 (2024-07-08)
 ====================
 - Allow AbstractProviders to specify Discover page presence
diff --git a/package.json b/package.json
index 4a59f79fe4f..e23665cd5f1 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "OSF",
-  "version": "24.03.0",
+  "version": "24.04.0",
   "description": "Facilitating Open Science",
   "repository": "https://github.com/CenterForOpenScience/osf.io",
   "author": "Center for Open Science",

From 9cec4c21e4b555881111f8f196b9bbf6323d6e29 Mon Sep 17 00:00:00 2001
From: Uditi Mehta <57388785+uditijmehta@users.noreply.github.com>
Date: Tue, 9 Jul 2024 14:51:48 -0400
Subject: [PATCH 04/11] [ENG-3685] Add permissions for withdrawn registration
 files (#10650)

* Prevent users from accessing files from withdrawn registrations via API and Waterbutler

---------

Co-authored-by: Uditi Mehta <uditimehta@coss-mbp.lan>
Co-authored-by: Uditi Mehta <uditimehta@COSs-MacBook-Pro.local>
---
 addons/base/views.py                      |  3 +
 api/files/serializers.py                  |  1 -
 api/files/views.py                        |  3 +
 api_tests/files/views/test_file_detail.py | 76 +++++++++++++++++++++--
 4 files changed, 78 insertions(+), 5 deletions(-)

diff --git a/addons/base/views.py b/addons/base/views.py
index 3394e6dc22b..b78f264697f 100644
--- a/addons/base/views.py
+++ b/addons/base/views.py
@@ -305,6 +305,9 @@ def get_authenticated_resource(resource_id):
     if resource.deleted:
         raise HTTPError(http_status.HTTP_410_GONE, message='Resource has been deleted.')
 
+    if getattr(resource, 'is_retracted', False):
+        raise HTTPError(http_status.HTTP_410_GONE, message='Resource has been retracted.')
+
     return resource
 
 
diff --git a/api/files/serializers.py b/api/files/serializers.py
index 9e92bca2037..7680cb560e1 100644
--- a/api/files/serializers.py
+++ b/api/files/serializers.py
@@ -441,7 +441,6 @@ def to_representation(self, value):
         guid = Guid.load(view.kwargs['file_id'])
         if guid:
             data['data']['id'] = guid._id
-
         return data
 
 
diff --git a/api/files/views.py b/api/files/views.py
index 15999637336..2c4aae80976 100644
--- a/api/files/views.py
+++ b/api/files/views.py
@@ -57,6 +57,9 @@ def get_file(self, check_permissions=True):
             if obj.target.creator.is_disabled:
                 raise Gone(detail='This user has been deactivated and their quickfiles are no longer available.')
 
+        if getattr(obj.target, 'is_retracted', False):
+            raise Gone(detail='The requested file is no longer available.')
+
         if check_permissions:
             # May raise a permission denied
             self.check_object_permissions(self.request, obj)
diff --git a/api_tests/files/views/test_file_detail.py b/api_tests/files/views/test_file_detail.py
index 14b95016e36..0c6e7876fe4 100644
--- a/api_tests/files/views/test_file_detail.py
+++ b/api_tests/files/views/test_file_detail.py
@@ -31,6 +31,9 @@
 
 SessionStore = import_module(django_conf_settings.SESSION_ENGINE).SessionStore
 
+from addons.base.views import get_authenticated_resource
+from framework.exceptions import HTTPError
+
 # stolen from^W^Winspired by DRF
 # rest_framework.fields.DateTimeField.to_representation
 def _dt_to_iso8601(value):
@@ -639,6 +642,10 @@ def file(self, root_node, user):
         }).save()
         return file
 
+    @pytest.fixture()
+    def file_url(self, file):
+        return '/{}files/{}/'.format(API_BASE, file._id)
+
     def test_listing(self, app, user, file):
         file.create_version(user, {
             'object': '0683m38e',
@@ -705,6 +712,67 @@ def test_load_and_property(self, app, user, file):
             expect_errors=True, auth=user.auth,
         ).status_code == 405
 
+    def test_retracted_registration_file(self, app, user, file_url, file):
+        resource = RegistrationFactory(is_public=True)
+        retraction = resource.retract_registration(
+            user=resource.creator,
+            justification='Justification for retraction',
+            save=True,
+            moderator_initiated=False
+        )
+
+        retraction.accept()
+        resource.save()
+        resource.refresh_from_db()
+
+        file.target = resource
+        file.save()
+
+        res = app.get(file_url, auth=user.auth, expect_errors=True)
+        assert res.status_code == 410
+
+    def test_retracted_file_returns_410(self, app, user, file_url, file):
+        resource = RegistrationFactory(is_public=True)
+        retraction = resource.retract_registration(
+            user=resource.creator,
+            justification='Justification for retraction',
+            save=True,
+            moderator_initiated=False
+        )
+
+        retraction.accept()
+        resource.save()
+        resource.refresh_from_db()
+
+        file.target = resource
+        file.save()
+
+        res = app.get(file_url, auth=user.auth, expect_errors=True)
+        assert res.status_code == 410
+
+    def test_get_authenticated_resource_retracted(self):
+        resource = RegistrationFactory(is_public=True)
+
+        assert resource.is_retracted is False
+
+        retraction = resource.retract_registration(
+            user=resource.creator,
+            justification='Justification for retraction',
+            save=True,
+            moderator_initiated=False
+        )
+
+        retraction.accept()
+        resource.save()
+        resource.refresh_from_db()
+
+        assert resource.is_retracted is True
+
+        with pytest.raises(HTTPError) as excinfo:
+            get_authenticated_resource(resource._id)
+
+        assert excinfo.value.code == 410
+
 
 @pytest.mark.django_db
 class TestFileTagging:
@@ -916,20 +984,20 @@ def test_withdrawn_preprint_files(self, app, file_url, preprint, user, other_use
 
         # Unauthenticated
         res = app.get(file_url, expect_errors=True)
-        assert res.status_code == 401
+        assert res.status_code == 410
 
         # Noncontrib
         res = app.get(file_url, auth=other_user.auth, expect_errors=True)
-        assert res.status_code == 403
+        assert res.status_code == 410
 
         # Write contributor
         preprint.add_contributor(other_user, WRITE, save=True)
         res = app.get(file_url, auth=other_user.auth, expect_errors=True)
-        assert res.status_code == 403
+        assert res.status_code == 410
 
         # Admin contrib
         res = app.get(file_url, auth=user.auth, expect_errors=True)
-        assert res.status_code == 403
+        assert res.status_code == 410
 
 @pytest.mark.django_db
 class TestShowAsUnviewed:

From ed34ace57ed74ae906781215391e3ef02180bbf8 Mon Sep 17 00:00:00 2001
From: Matt Frazier <maf7sm@virginia.edu>
Date: Tue, 9 Jul 2024 17:00:14 -0400
Subject: [PATCH 05/11] Allow DOI metadata updates to be queued

---
 website/identifiers/tasks.py | 11 +++++++----
 website/settings/defaults.py |  3 ++-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/website/identifiers/tasks.py b/website/identifiers/tasks.py
index 2fd51428dc3..e0823cec5cd 100644
--- a/website/identifiers/tasks.py
+++ b/website/identifiers/tasks.py
@@ -5,12 +5,15 @@
 from framework.celery_tasks.handlers import queued_task
 from framework import sentry
 
-
-@queued_task
-@celery_app.task(ignore_results=True)
-def update_doi_metadata_on_change(target_guid):
+@celery_app.task(bind=True, max_retries=5, acks_late=True)
+def task__update_doi_metadata_on_change(target_guid):
     sentry.log_message('Updating DOI for guid', extra_data={'guid': target_guid}, level=logging.INFO)
     Guid = apps.get_model('osf.Guid')
     target_object = Guid.load(target_guid).referent
     if target_object.get_identifier('doi'):
         target_object.request_identifier_update(category='doi')
+
+@queued_task
+@celery_app.task(ignore_results=True)
+def update_doi_metadata_on_change(target_guid):
+    task__update_doi_metadata_on_change(target_guid)
diff --git a/website/settings/defaults.py b/website/settings/defaults.py
index ce44070357b..79200467839 100644
--- a/website/settings/defaults.py
+++ b/website/settings/defaults.py
@@ -455,7 +455,7 @@ class CeleryConfig:
         'website.mailchimp_utils',
         'website.notifications.tasks',
         'website.collections.tasks',
-        'website.identifier.tasks',
+        'website.identifiers.tasks',
         'website.preprints.tasks',
         'website.project.tasks',
     }
@@ -516,6 +516,7 @@ class CeleryConfig:
         'website.mailchimp_utils',
         'website.notifications.tasks',
         'website.archiver.tasks',
+        'website.identifiers.tasks',
         'website.search.search',
         'website.project.tasks',
         'scripts.populate_new_and_noteworthy_projects',

From 799cb57b7da84ca9efd8680697cc90c6f41004ad Mon Sep 17 00:00:00 2001
From: Matt Frazier <maf7sm@virginia.edu>
Date: Tue, 9 Jul 2024 18:03:45 -0400
Subject: [PATCH 06/11] Fix signature

---
 website/identifiers/tasks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/identifiers/tasks.py b/website/identifiers/tasks.py
index e0823cec5cd..f940956d54b 100644
--- a/website/identifiers/tasks.py
+++ b/website/identifiers/tasks.py
@@ -6,7 +6,7 @@
 from framework import sentry
 
 @celery_app.task(bind=True, max_retries=5, acks_late=True)
-def task__update_doi_metadata_on_change(target_guid):
+def task__update_doi_metadata_on_change(self, target_guid):
     sentry.log_message('Updating DOI for guid', extra_data={'guid': target_guid}, level=logging.INFO)
     Guid = apps.get_model('osf.Guid')
     target_object = Guid.load(target_guid).referent

From 30604a0d6b6fd3aa3f8dc5db274c520589ceea38 Mon Sep 17 00:00:00 2001
From: Matt Frazier <maf7sm@virginia.edu>
Date: Thu, 11 Jul 2024 12:35:41 -0400
Subject: [PATCH 07/11] Check Registration READ perms on the Registration - Do
 not record download metrics for renders

---
 addons/base/views.py | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/addons/base/views.py b/addons/base/views.py
index 3394e6dc22b..e3dc206164e 100644
--- a/addons/base/views.py
+++ b/addons/base/views.py
@@ -206,7 +206,7 @@ def check_resource_permissions(resource, auth, action):
 
 def _check_registration_permissions(registration, auth, permission, action):
     if permission == permissions.READ:
-        return registration.registered_from.can_view(auth)
+        return registration.can_view(auth) or registration.registered_from.can_view(auth)
     if action in ('copyfrom', 'upload'):
         return _check_hierarchical_write_permissions(resource=registration, auth=auth)
     return registration.can_edit(auth)
@@ -241,6 +241,19 @@ def _check_hierarchical_write_permissions(resource, auth):
         permissions_resource = permissions_resource.parent_node
     return False
 
+def _download_is_from_mfr(waterbutler_data):
+    metrics_data = waterbutler_data['metrics']
+    uri = metrics_data['uri']
+    is_render_uri = furl.furl(uri or '').query.params.get('mode') == 'render'
+    return (
+        # This header is sent for download requests that
+        # originate from MFR, e.g. for the code pygments renderer
+        request.headers.get('X-Cos-Mfr-Render-Request', None) or
+        # Need to check the URI in order to account
+        # for renderers that send XHRs from the
+        # rendered content, e.g. PDFs
+        is_render_uri
+    )
 
 def make_auth(user):
     if user is not None:
@@ -412,7 +425,7 @@ def get_auth(auth, **kwargs):
         # Trigger any file-specific signals based on the action taken (e.g., file viewed, downloaded)
         if action == 'render':
             file_signals.file_viewed.send(auth=auth, fileversion=fileversion, file_node=file_node)
-        elif action == 'download':
+        elif action == 'download' and not _download_is_from_mfr(waterbutler_data):
             file_signals.file_downloaded.send(auth=auth, fileversion=fileversion, file_node=file_node)
 
     # Construct the response payload including the JWT

From 34d56414859066b98c0998fbc00cd130bf5de4fd Mon Sep 17 00:00:00 2001
From: Fitz Elliott <fitz@cos.io>
Date: Fri, 12 Jul 2024 13:05:54 -0400
Subject: [PATCH 08/11] Revert "[ENG-3685] Add permissions for withdrawn
 registration files (#10650)" (#10666)

This reverts commit 9cec4c21e4b555881111f8f196b9bbf6323d6e29.
---
 addons/base/views.py                      |  3 -
 api/files/serializers.py                  |  1 +
 api/files/views.py                        |  3 -
 api_tests/files/views/test_file_detail.py | 76 ++---------------------
 4 files changed, 5 insertions(+), 78 deletions(-)

diff --git a/addons/base/views.py b/addons/base/views.py
index 834e6c32817..e3dc206164e 100644
--- a/addons/base/views.py
+++ b/addons/base/views.py
@@ -318,9 +318,6 @@ def get_authenticated_resource(resource_id):
     if resource.deleted:
         raise HTTPError(http_status.HTTP_410_GONE, message='Resource has been deleted.')
 
-    if getattr(resource, 'is_retracted', False):
-        raise HTTPError(http_status.HTTP_410_GONE, message='Resource has been retracted.')
-
     return resource
 
 
diff --git a/api/files/serializers.py b/api/files/serializers.py
index 7680cb560e1..9e92bca2037 100644
--- a/api/files/serializers.py
+++ b/api/files/serializers.py
@@ -441,6 +441,7 @@ def to_representation(self, value):
         guid = Guid.load(view.kwargs['file_id'])
         if guid:
             data['data']['id'] = guid._id
+
         return data
 
 
diff --git a/api/files/views.py b/api/files/views.py
index 2c4aae80976..15999637336 100644
--- a/api/files/views.py
+++ b/api/files/views.py
@@ -57,9 +57,6 @@ def get_file(self, check_permissions=True):
             if obj.target.creator.is_disabled:
                 raise Gone(detail='This user has been deactivated and their quickfiles are no longer available.')
 
-        if getattr(obj.target, 'is_retracted', False):
-            raise Gone(detail='The requested file is no longer available.')
-
         if check_permissions:
             # May raise a permission denied
             self.check_object_permissions(self.request, obj)
diff --git a/api_tests/files/views/test_file_detail.py b/api_tests/files/views/test_file_detail.py
index 0c6e7876fe4..14b95016e36 100644
--- a/api_tests/files/views/test_file_detail.py
+++ b/api_tests/files/views/test_file_detail.py
@@ -31,9 +31,6 @@
 
 SessionStore = import_module(django_conf_settings.SESSION_ENGINE).SessionStore
 
-from addons.base.views import get_authenticated_resource
-from framework.exceptions import HTTPError
-
 # stolen from^W^Winspired by DRF
 # rest_framework.fields.DateTimeField.to_representation
 def _dt_to_iso8601(value):
@@ -642,10 +639,6 @@ def file(self, root_node, user):
         }).save()
         return file
 
-    @pytest.fixture()
-    def file_url(self, file):
-        return '/{}files/{}/'.format(API_BASE, file._id)
-
     def test_listing(self, app, user, file):
         file.create_version(user, {
             'object': '0683m38e',
@@ -712,67 +705,6 @@ def test_load_and_property(self, app, user, file):
             expect_errors=True, auth=user.auth,
         ).status_code == 405
 
-    def test_retracted_registration_file(self, app, user, file_url, file):
-        resource = RegistrationFactory(is_public=True)
-        retraction = resource.retract_registration(
-            user=resource.creator,
-            justification='Justification for retraction',
-            save=True,
-            moderator_initiated=False
-        )
-
-        retraction.accept()
-        resource.save()
-        resource.refresh_from_db()
-
-        file.target = resource
-        file.save()
-
-        res = app.get(file_url, auth=user.auth, expect_errors=True)
-        assert res.status_code == 410
-
-    def test_retracted_file_returns_410(self, app, user, file_url, file):
-        resource = RegistrationFactory(is_public=True)
-        retraction = resource.retract_registration(
-            user=resource.creator,
-            justification='Justification for retraction',
-            save=True,
-            moderator_initiated=False
-        )
-
-        retraction.accept()
-        resource.save()
-        resource.refresh_from_db()
-
-        file.target = resource
-        file.save()
-
-        res = app.get(file_url, auth=user.auth, expect_errors=True)
-        assert res.status_code == 410
-
-    def test_get_authenticated_resource_retracted(self):
-        resource = RegistrationFactory(is_public=True)
-
-        assert resource.is_retracted is False
-
-        retraction = resource.retract_registration(
-            user=resource.creator,
-            justification='Justification for retraction',
-            save=True,
-            moderator_initiated=False
-        )
-
-        retraction.accept()
-        resource.save()
-        resource.refresh_from_db()
-
-        assert resource.is_retracted is True
-
-        with pytest.raises(HTTPError) as excinfo:
-            get_authenticated_resource(resource._id)
-
-        assert excinfo.value.code == 410
-
 
 @pytest.mark.django_db
 class TestFileTagging:
@@ -984,20 +916,20 @@ def test_withdrawn_preprint_files(self, app, file_url, preprint, user, other_use
 
         # Unauthenticated
         res = app.get(file_url, expect_errors=True)
-        assert res.status_code == 410
+        assert res.status_code == 401
 
         # Noncontrib
         res = app.get(file_url, auth=other_user.auth, expect_errors=True)
-        assert res.status_code == 410
+        assert res.status_code == 403
 
         # Write contributor
         preprint.add_contributor(other_user, WRITE, save=True)
         res = app.get(file_url, auth=other_user.auth, expect_errors=True)
-        assert res.status_code == 410
+        assert res.status_code == 403
 
         # Admin contrib
         res = app.get(file_url, auth=user.auth, expect_errors=True)
-        assert res.status_code == 410
+        assert res.status_code == 403
 
 @pytest.mark.django_db
 class TestShowAsUnviewed:

From 6c32a94a4bbd9e11bc74a6281804d1715c96f235 Mon Sep 17 00:00:00 2001
From: Jon Walz <jon@cos.io>
Date: Fri, 28 Jun 2024 10:18:16 -0400
Subject: [PATCH 09/11] [ENG-5727][ENG-5728] Get Addon information from
 GravyValet (#10652)

* Get addon data for external providers from GravyValet (if flag is active)
* Further improve `get_auth`

---------

Co-authored-by: Jon Walz <walzj@COSs-MBP.lan>
---
 addons/base/views.py                     | 392 ++++++++++-------------
 osf/external/gravy_valet/auth_helpers.py |   5 +-
 osf/external/gravy_valet/translations.py |  15 +-
 osf/models/draft_node.py                 |   6 +
 osf/models/mixins.py                     |  20 ++
 osf/models/node.py                       |  30 ++
 osf/models/preprint.py                   |   4 +
 osf/models/user.py                       |  32 ++
 tests/test_addons.py                     | 364 +++++++++------------
 tests/test_preprints.py                  |  50 ++-
 tests/test_utils.py                      |   8 +-
 11 files changed, 475 insertions(+), 451 deletions(-)

diff --git a/addons/base/views.py b/addons/base/views.py
index e3dc206164e..696b499505a 100644
--- a/addons/base/views.py
+++ b/addons/base/views.py
@@ -1,5 +1,4 @@
 import datetime
-from rest_framework import status as http_status
 import os
 import uuid
 import markupsafe
@@ -15,6 +14,7 @@
 from django.db import transaction
 from django.contrib.contenttypes.models import ContentType
 from elasticsearch import exceptions as es_exceptions
+from rest_framework import status as http_status
 
 from api.caching.tasks import update_storage_usage_with_size
 
@@ -32,7 +32,7 @@
 from framework.exceptions import HTTPError
 from framework.flask import redirect
 from framework.sentry import log_exception
-from framework.routing import json_renderer, proxy_url
+from framework.routing import proxy_url
 from framework.transactions.handlers import no_auto_transaction
 from website import mails
 from website import settings
@@ -45,7 +45,6 @@
     BaseFileVersionsThrough,
     OSFUser,
     AbstractNode,
-    DraftNode,
     Preprint,
     Node,
     NodeLog,
@@ -65,7 +64,6 @@
 
 # import so that associated listener is instantiated and gets emails
 from website.notifications.events.files import FileEvent  # noqa
-from osf.utils.requests import requests_retry_session
 
 ERROR_MESSAGES = {'FILE_GONE': u"""
 <style>
@@ -118,6 +116,25 @@
 
 WATERBUTLER_JWE_KEY = jwe.kdf(settings.WATERBUTLER_JWE_SECRET.encode('utf-8'), settings.WATERBUTLER_JWE_SALT.encode('utf-8'))
 
+_READ_ACTIONS = frozenset([
+    'revisions',
+    'metadata',
+    'download',
+    'render',
+    'export',
+    'copyfrom',
+])
+_WRITE_ACTIONS = frozenset([
+    'create_folder',
+    'upload',
+    'delete',
+    'copy',
+    'move',
+    'copyto',
+    'moveto',
+    'movefrom',
+])
+
 
 @decorators.must_have_permission(permissions.WRITE)
 @decorators.must_not_be_registration
@@ -175,86 +192,6 @@ def get_permission_for_action(action):
     return permission
 
 
-def check_resource_permissions(resource, auth, action):
-    """Check if the user has the required permission on the resource."""
-
-    # Users attempting to register projects with components might not have
-    # `write` permissions for all components. This will result in a 403 for
-    # all `upload` actions as well as `copyfrom` actions if the component
-    # in question is not public. To get around this, we have to recursively
-    # check the node's parent node to determine if they have `write`
-    # permissions up the stack.
-    # TODO(hrybacki): is there a way to tell if this is for a registration?
-    # All nodes being registered that receive the `upload` action will have
-    # `node.is_registration` == True. However, we have no way of telling if
-    # `copyfrom` actions are originating from a node being registered.
-    # TODO This is raise UNAUTHORIZED for registrations that have not been archived yet
-
-    required_permission = get_permission_for_action(action)
-    if isinstance(resource, Registration):
-        return _check_registration_permissions(resource, auth, required_permission, action)
-    elif isinstance(resource, Node):
-        return _check_node_permissions(resource, auth, required_permission, action)
-    elif isinstance(resource, Preprint):
-        return _check_preprint_permissions(resource, auth, required_permission)
-    elif isinstance(resource, DraftNode):
-        draft_registration = resource.registered_draft.first()
-        return _check_draft_registration_permissions(draft_registration, auth, required_permission)
-    else:
-        raise NotImplementedError()
-
-
-def _check_registration_permissions(registration, auth, permission, action):
-    if permission == permissions.READ:
-        return registration.can_view(auth) or registration.registered_from.can_view(auth)
-    if action in ('copyfrom', 'upload'):
-        return _check_hierarchical_write_permissions(resource=registration, auth=auth)
-    return registration.can_edit(auth)
-
-
-def _check_node_permissions(node, auth, permission, action):
-    if permission == permissions.READ:
-        return node.can_view(auth)
-    if node.can_edit(auth):
-        return True
-    if action == 'copyfrom':
-        return _check_hierarchical_write_permissions(resource=node, auth=auth)
-
-
-def _check_preprint_permissions(preprint, auth, permission):
-    if permission == permissions.READ:
-        return preprint.can_view_files(auth)
-    return preprint.can_edit(auth)
-
-
-def _check_draft_registration_permissions(draft_registration, auth, permission):
-    if permission == permissions.READ:
-        return draft_registration.can_view(auth)
-    return draft_registration.can_edit(auth)
-
-
-def _check_hierarchical_write_permissions(resource, auth):
-    permissions_resource = resource
-    while permissions_resource:
-        if permissions_resource.can_edit(auth):
-            return True
-        permissions_resource = permissions_resource.parent_node
-    return False
-
-def _download_is_from_mfr(waterbutler_data):
-    metrics_data = waterbutler_data['metrics']
-    uri = metrics_data['uri']
-    is_render_uri = furl.furl(uri or '').query.params.get('mode') == 'render'
-    return (
-        # This header is sent for download requests that
-        # originate from MFR, e.g. for the code pygments renderer
-        request.headers.get('X-Cos-Mfr-Render-Request', None) or
-        # Need to check the URI in order to account
-        # for renderers that send XHRs from the
-        # rendered content, e.g. PDFs
-        is_render_uri
-    )
-
 def make_auth(user):
     if user is not None:
         return {
@@ -265,37 +202,62 @@ def make_auth(user):
     return {}
 
 
-def authenticate_via_oauth_bearer_token(resource, action):
-    authorization = request.headers.get('Authorization')
-    client = cas.get_client()
+@collect_auth
+def get_auth(auth, **kwargs):
+    """
+    Authenticate a request and construct a JWT payload for Waterbutler callbacks.
+    When a user interacts with a file OSF sends a request to WB which itself sends a
+    request to an external service or Osfstorage, in order to confirm that event has
+    taken place Waterbutler will send this callback to OSF to comfirm the file action was
+    successful and can be logged.
 
-    try:
-        access_token = cas.parse_auth_header(authorization)
-        cas_resp = client.profile(access_token)
-    except cas.CasError as err:
-        sentry.log_exception()
-        return json_renderer(err)  # Assuming json_renderer wraps the error in a Response
+    This function decrypts and decodes the JWT payload from the request, authenticates
+    the resource based on the node ID provided in the JWT payload, and ensures the user
+    has the required permissions to perform the specified action on the node. If the user
+    is not authenticated, it attempts to authenticate them using the provided data. This
+    function also constructs a response payload that includes a signed and encrypted JWT,
+    which Waterbutler can use to verify the request.
 
-    permission = get_permission_for_action(action)
-    if permission == permissions.READ:
-        if resource.can_view_files():
-            return OSFUser.load(cas_resp.user)
-        required_scope = resource.file_read_scope
-    else:
-        required_scope = resource.file_write_scope
+    Parameters:
+        auth (Auth): The authentication context, typically collected by the `@collect_auth` decorator.
+        **kwargs: Keyword arguments that might include additional context needed for complex permissions checks.
 
-    token = cas_resp.attributes.get('accessTokenScope')
-    if not token or not cas_resp.authenticated:
-        raise HTTPError(http_status.HTTP_403_FORBIDDEN)
+    Returns:
+        dict: A dictionary containing the encrypted JWT in 'payload', ready to be used by Waterbutler.
 
-    normalize_scopes = oauth_scopes.normalize_scopes(cas_resp.attributes['accessTokenScope'])
-    if required_scope not in normalize_scopes:
-        raise HTTPError(http_status.HTTP_403_FORBIDDEN)
+    Raises:
+        HTTPError: If authentication fails, the node does not exist, the action is not allowed, or
+                   any required data for authentication is missing from the request.
+    """
+    waterbutler_data = _decrypt_and_decode_jwt_payload()
+    resource = _get_authenticated_resource(waterbutler_data['nid'])
 
-    return OSFUser.load(cas_resp.user)
+    action = waterbutler_data['action']
+    _check_resource_permissions(resource, auth, action)
 
+    provider_name = waterbutler_data['provider']
+    file_version = file_node = None
+    if provider_name == 'osfstorage':
+        file_version, file_node = _get_osfstorage_file_version_and_node(
+            file_path=waterbutler_data.get('path'), file_version_id=waterbutler_data.get('version')
+        )
 
-def decrypt_and_decode_jwt_payload():
+    waterbutler_settings, waterbutler_credentials = _get_waterbutler_configs(
+        resource=resource, provider_name=provider_name, file_version=file_version,
+    )
+
+    _enqueue_metrics(file_version=file_version, file_node=file_node, action=action, auth=auth)
+
+    # Construct the response payload including the JWT
+    return _construct_payload(
+        auth=auth,
+        resource=resource,
+        credentials=waterbutler_credentials,
+        waterbutler_settings=waterbutler_settings
+    )
+
+
+def _decrypt_and_decode_jwt_payload():
     try:
         payload_encrypted = request.args.get('payload', '').encode('utf-8')
         payload_decrypted = jwe.decrypt(payload_encrypted, WATERBUTLER_JWE_KEY)
@@ -310,7 +272,7 @@ def decrypt_and_decode_jwt_payload():
         raise HTTPError(http_status.HTTP_403_FORBIDDEN)
 
 
-def get_authenticated_resource(resource_id):
+def _get_authenticated_resource(resource_id):
     resource = AbstractNode.load(resource_id) or Preprint.load(resource_id)
     if not resource:
         raise HTTPError(http_status.HTTP_404_NOT_FOUND, message='Resource not found.')
@@ -321,146 +283,134 @@ def get_authenticated_resource(resource_id):
     return resource
 
 
-def _get_osfstorage_file_version(file_node: OsfStorageFileNode, version_string: str = None) -> FileVersion:
-    if not (file_node and file_node.is_file):
-        return None
+def _check_resource_permissions(resource, auth, action):
+    """Check if the user has the required permission on the resource."""
+    required_permission = _get_permission_for_action(action)
+    _confirm_token_scope(resource, required_permission)
+    if required_permission == permissions.READ:
+        has_resource_permissions = resource.can_view_files(auth=auth)
+    else:
+        has_resource_permissions = resource.can_edit(auth=auth)
 
-    try:
-        return FileVersion.objects.select_related('region').get(
-            basefilenode=file_node,
-            identifier=version_string or str(file_node.versions.count())
-        )
-    except FileVersion.DoesNotExist:
-        raise HTTPError(http_status.HTTP_400_BAD_REQUEST, 'Requested File Version unavailable')
+    if not (has_resource_permissions or _check_hierarchical_permissions(resource, auth, action)):
+        raise HTTPError(http_status.HTTP_403_FORBIDDEN)
+    return True
 
 
-def _get_osfstorage_file_node(file_path: str) -> OsfStorageFileNode:
-    if not file_path:
-        return None
+def _get_permission_for_action(action):
+    if action in _READ_ACTIONS:
+        return permissions.READ
+    if action in _WRITE_ACTIONS:
+        return permissions.WRITE
+    raise HTTPError(http_status.HTTP_400_BAD_REQUEST, message='Invalid action specified.')
 
-    file_id = file_path.strip('/')
-    return OsfStorageFileNode.load(file_id)
 
+def _confirm_token_scope(resource, required_permission):
+    auth_header = request.headers.get('Authorization')
+    if not (auth_header and auth_header.startswith('Bearer ')):
+        return  # No token, no scope conflict
 
-def authenticate_user_if_needed(auth, waterbutler_data, resource):
-    if auth.user:
-        return  # User is already authenticated
+    if required_permission == permissions.READ:
+        if resource.can_view_files(auth=None):
+            return  # Always allow read actions for public files/valid VOL
+        required_scope = resource.file_read_scope
+    else:
+        required_scope = resource.file_write_scope
 
-    if 'cookie' in waterbutler_data:
-        auth.user = OSFUser.from_cookie(waterbutler_data.get('cookie'))
-        if not auth.user:
-            raise HTTPError(http_status.HTTP_401_UNAUTHORIZED, 'Invalid user cookie.')
+    if required_scope not in _get_token_scopes_from_cas(auth_header):
+        raise HTTPError(
+            http_status.HTTP_403_FORBIDDEN, 'Provided token has insufficient scope for this action'
+        )
 
-    authorization = request.headers.get('Authorization')
-    if authorization and authorization.startswith('Bearer '):
-        auth.user = authenticate_via_oauth_bearer_token(resource, waterbutler_data['action'])
 
+def _get_token_scopes_from_cas(auth_header):
+    client = cas.get_client()
+    try:
+        access_token = cas.parse_auth_header(auth_header)
+        cas_resp = client.profile(access_token)
+    except cas.CasError:
+        sentry.log_exception()
+        raise HTTPError(http_status.HTTP_403_FORBIDDEN)
 
-@collect_auth
-def get_auth(auth, **kwargs):
-    """
-    Authenticate a request and construct a JWT payload for Waterbutler callbacks.
-    When a user interacts with a file OSF sends a request to WB which itself sends a
-    request to an external service or Osfstorage, in order to confirm that event has
-    taken place Waterbutler will send this callback to OSF to comfirm the file action was
-    successful and can be logged.
+    if not cas_resp.authenticated:
+        raise HTTPError(
+            http_status.HTTP_403_FORBIDDEN, 'Failed to authenticate via provided Bearer Token'
+        )
 
-    This function decrypts and decodes the JWT payload from the request, authenticates
-    the resource based on the node ID provided in the JWT payload, and ensures the user
-    has the required permissions to perform the specified action on the node. If the user
-    is not authenticated, it attempts to authenticate them using the provided data. This
-    function also constructs a response payload that includes a signed and encrypted JWT,
-    which Waterbutler can use to verify the request.
+    return oauth_scopes.normalize_scopes(cas_resp.attributes.get('accessTokenScope', []))
 
-    Parameters:
-        auth (Auth): The authentication context, typically collected by the `@collect_auth` decorator.
-        **kwargs: Keyword arguments that might include additional context needed for complex permissions checks.
 
-    Returns:
-        dict: A dictionary containing the encrypted JWT in 'payload', ready to be used by Waterbutler.
+def _check_hierarchical_permissions(resource, auth, action):
+    # Users attempting to register projects with components might not have
+    # `write` permissions for all components. This will result in a 403 for
+    # all `upload` actions as well as `copyfrom` actions if the component
+    # in question is not public. To get around this, we have to recursively
+    # check the node's parent node to determine if they have `write`
+    # permissions up the stack.
+    if not isinstance(resource, AbstractNode):
+        return False
 
-    Raises:
-        HTTPError: If authentication fails, the node does not exist, the action is not allowed, or
-                   any required data for authentication is missing from the request.
-    """
+    if action != 'copyfrom' or not (resource.type == 'Registration' and action == 'upload'):
+        return False
 
-    # Decrypt and decode the JWT payload from the request
-    waterbutler_data = decrypt_and_decode_jwt_payload()
+    permissions_resource = resource.parent_node
+    while permissions_resource:
+        # Keeping legacy behavior of checking `can_edit` even though `copyfrom` is a READ action
+        if permissions_resource.can_edit(auth=auth):
+            return True
+        permissions_resource = permissions_resource.parent_node
 
-    # Authenticate the resource based on the node_id and handle potential draft nodes
-    resource = get_authenticated_resource(waterbutler_data['nid'])
+    return False
 
-    # Authenticate the user using cookie or Oauth if possible
-    authenticate_user_if_needed(auth, waterbutler_data, resource)
+def _get_waterbutler_configs(resource, provider_name, file_version):
+    try:
+        addon_settings = resource.serialize_waterbutler_settings(provider_name)
+    except AttributeError:  # No addon configured on resource for provider
+        raise HTTPError(http_status.HTTP_400_BAD_REQUEST, 'Requested Provider unavailable')
+    if file_version:
+        # Override credentials and settings with values for correct storage region
+        addon_credentials = file_version.region.waterbutler_credentials
+        addon_settings.update(file_version.region.waterbutler_settings)
+    else:
+        addon_credentials = resource.serialize_waterbutler_credentials(provider_name)
 
-    # Verify the user has permission to perform the requested action on the node
-    action = waterbutler_data['action']
-    if not check_resource_permissions(resource, auth, action):
-        raise HTTPError(http_status.HTTP_403_FORBIDDEN)
+    return addon_settings, addon_credentials
 
-    # Validate provider, exclude Preprints that don't have `get_addon`.
-    if not isinstance(resource, Preprint):
-        provider = resource.get_addon(waterbutler_data['provider'])
-        if not provider:
-            raise HTTPError(http_status.HTTP_400_BAD_REQUEST)
-    else:
-        provider = None
 
-    # Get the file version from Waterbutler data, which is used for file-specific actions
-    file_node = None
-    fileversion = None
-    if waterbutler_data['provider'] == 'osfstorage':
-        file_node = _get_osfstorage_file_node(waterbutler_data.get('path'))
-        fileversion = _get_osfstorage_file_version(file_node, waterbutler_data.get('version'))
+def _get_osfstorage_file_version_and_node(
+    file_path: str,
+    file_version_id: str = None
+):  # -> tuple[FileVersion, OsfStorageFileNode]
+    if not file_path:
+        return None, None
 
-    # Fetch Waterbutler credentials and settings for the resource
-    credentials, waterbutler_settings = get_waterbutler_data(
-        resource,
-        waterbutler_data,
-        fileversion,
-        provider
-    )
+    file_node = OsfStorageFileNode.load(file_path.strip('/'))
+    if not (file_node and file_node.is_file):
+        return None, None
 
-    if fileversion:
-        # Trigger any file-specific signals based on the action taken (e.g., file viewed, downloaded)
-        if action == 'render':
-            file_signals.file_viewed.send(auth=auth, fileversion=fileversion, file_node=file_node)
-        elif action == 'download' and not _download_is_from_mfr(waterbutler_data):
-            file_signals.file_downloaded.send(auth=auth, fileversion=fileversion, file_node=file_node)
+    try:
+        file_version = FileVersion.objects.select_related('region').get(
+            basefilenode=file_node,
+            identifier=file_version_id or str(file_node.versions.count())
+        )
+    except FileVersion.DoesNotExist:
+        raise HTTPError(http_status.HTTP_400_BAD_REQUEST, 'Requested File Version unavailable')
 
-    # Construct the response payload including the JWT
-    return construct_payload(
-        auth,
-        resource,
-        credentials,
-        waterbutler_settings
-    )
+    return file_version, file_node
 
 
-def get_waterbutler_data(resource, waterbutler_data, fileversion, provider):
-    provider_name = waterbutler_data.get('provider')
-    if isinstance(resource, Preprint):
-        credentials = resource.serialize_waterbutler_credentials()
-        waterbutler_settings = resource.serialize_waterbutler_settings()
-    elif fileversion:
-        credentials = fileversion.region.waterbutler_credentials
-        waterbutler_settings = fileversion.serialize_waterbutler_settings(
-            node_id=provider.owner._id,
-            root_id=provider.root_node._id,
-        )
-    elif waffle.flag_is_active(request, features.ENABLE_GV):
-        data = requests_retry_session(
-            f'{settings.DOMAIN}/v1/configured_storage_addon/{provider_name}/waterbutler-config'
-        )
-        credentials, waterbutler_settings = data['data']
-    else:
-        credentials = resource.serialize_waterbutler_credentials(provider.short_name)
-        waterbutler_settings = resource.serialize_waterbutler_settings(provider.short_name)
+def _enqueue_metrics(file_version, file_node, action, auth):
+    if not file_version:
+        return
 
-    return credentials, waterbutler_settings
+    if action == 'render':
+        file_signals.file_viewed.send(auth=auth, fileversion=file_version, file_node=file_node)
+    elif action == 'download':
+        file_signals.file_downloaded.send(auth=auth, fileversion=file_version, file_node=file_node)
+    return
 
 
-def construct_payload(auth, resource, credentials, waterbutler_settings):
+def _construct_payload(auth, resource, credentials, waterbutler_settings):
 
     if isinstance(resource, Registration):
         callback_url = resource.api_url_for(
diff --git a/osf/external/gravy_valet/auth_helpers.py b/osf/external/gravy_valet/auth_helpers.py
index 5b4e3f8fc7b..6ea5cdce742 100644
--- a/osf/external/gravy_valet/auth_helpers.py
+++ b/osf/external/gravy_valet/auth_helpers.py
@@ -7,7 +7,6 @@
 
 from django.utils import timezone
 
-from osf.models import OSFUser, AbstractNode
 from osf.utils import permissions as osf_permissions
 from website import settings
 
@@ -56,8 +55,8 @@ def _get_signed_components(
 
 
 def make_permissions_headers(
-    requesting_user: typing.Optional[OSFUser] = None,
-    requested_resource: typing.Optional[AbstractNode] = None
+    requesting_user=None,  # OSFUser | None
+    requested_resource=None,  # AbstractNode | None
 ) -> dict:
     osf_permissions_headers = {}
     if requesting_user:
diff --git a/osf/external/gravy_valet/translations.py b/osf/external/gravy_valet/translations.py
index c5d9f98ed7e..529d2cd29dd 100644
--- a/osf/external/gravy_valet/translations.py
+++ b/osf/external/gravy_valet/translations.py
@@ -3,7 +3,6 @@
 import dataclasses
 
 from addons.box.apps import BoxAddonAppConfig
-from osf.models import Node, OSFUser
 from . import request_helpers as gv_requests
 
 
@@ -66,8 +65,8 @@ class EphemeralNodeSettings:
     gv_id: str
 
     # These are needed in order to make further requests for credentials
-    configured_resource: Node
-    active_user: OSFUser
+    configured_resource: type  # Node
+    active_user: type  # OSFUser
 
     # retrieved from WB on-demand and cached
     _credentials: dict = None
@@ -99,6 +98,11 @@ def _fetch_wb_config(self):
         )
         self._credentials = result.get_attribute('credentials')
 
+    def create_waterbutler_log(self, *args, **kwargs):
+        pass
+
+    def save():
+        pass
 
 @dataclasses.dataclass
 class EphemeralUserSettings:
@@ -106,8 +110,11 @@ class EphemeralUserSettings:
     config: EphemeralAddonConfig
     gv_id: str
     # This is needed to support making further requests
-    active_user: OSFUser
+    active_user: type  # : OSFUser
 
     @property
     def short_name(self):
         return self.config.short_name
+
+    def can_be_merged(self):
+        return True
diff --git a/osf/models/draft_node.py b/osf/models/draft_node.py
index fec0bfc346e..f2165e8f855 100644
--- a/osf/models/draft_node.py
+++ b/osf/models/draft_node.py
@@ -37,6 +37,12 @@ def update_search(self):
         """
         return
 
+    def can_view(self, auth):
+        return self.registered_draft.first().can_view(auth)
+
+    def can_edit(self, auth=None, user=None):
+        return self.registered_draft.first().can_edit(auth, user)
+
     def convert_draft_node_to_node(self, auth):
         self.recast('osf.node')
         self.save()
diff --git a/osf/models/mixins.py b/osf/models/mixins.py
index dfc00364f97..e22acb24857 100644
--- a/osf/models/mixins.py
+++ b/osf/models/mixins.py
@@ -1,7 +1,10 @@
+import itertools
 import pytz
 import markupsafe
 import logging
 
+import waffle
+
 from django.apps import apps
 from django.contrib.auth.models import Group, AnonymousUser
 from django.core.exceptions import ObjectDoesNotExist, ValidationError
@@ -32,6 +35,7 @@
 from .tag import Tag
 from osf.utils import sanitize
 from .validators import validate_subject_hierarchy, validate_email, expand_subject_hierarchy
+from osf import features
 from osf.utils.fields import NonNaiveDateTimeField
 from osf.utils.datetime_aware_jsonfield import DateTimeAwareJSONField
 from osf.utils.machines import (
@@ -471,6 +475,8 @@ class AddonModelMixin(models.Model):
     settings_type = None
     ADDONS_AVAILABLE = sorted([config for config in apps.get_app_configs() if config.name.startswith('addons.') and
         config.label != 'base'], key=lambda config: config.name)
+    # These addon configurations will continue to live in the OSF for the foreseeable future
+    OSF_HOSTED_ADDONS = ['forward', 'osfstorage', 'twofactor', 'wiki']
 
     class Meta:
         abstract = True
@@ -484,6 +490,14 @@ def addons(self):
         return self.get_addons()
 
     def get_addons(self):
+        request, user_id = get_request_and_user_id()
+        if waffle.flag_is_active(request, features.ENABLE_GV):
+            osf_addons = filter(
+                lambda x: x is not None,
+                (self.get_addon(addon) for addon in self.OSF_HOSTED_ADDONS)
+            )
+            return itertools.chain(osf_addons, self._get_addons_from_gv(requesting_user_id=user_id))
+
         return [_f for _f in [
             self.get_addon(config.short_name)
             for config in self.ADDONS_AVAILABLE
@@ -511,6 +525,12 @@ def get_or_add_addon(self, name, *args, **kwargs):
         return self.add_addon(name, *args, **kwargs)
 
     def get_addon(self, name, is_deleted=False):
+        # Avoid test-breakages by avoiding early access to the request context
+        if name not in self.OSF_HOSTED_ADDONS:
+            request, user_id = get_request_and_user_id()
+            if waffle.flag_is_active(request, features.ENABLE_GV):
+                return self._get_addon_from_gv(gv_pk=name, requesting_user_id=user_id)
+
         try:
             settings_model = self._settings_model(name)
         except LookupError:
diff --git a/osf/models/node.py b/osf/models/node.py
index 0869e019ff2..1d312d34954 100644
--- a/osf/models/node.py
+++ b/osf/models/node.py
@@ -54,6 +54,10 @@
 from .user import OSFUser
 from .validators import validate_title, validate_doi
 from framework.auth.core import Auth
+from osf.external.gravy_valet import (
+    request_helpers as gv_requests,
+    translations as gv_translations,
+)
 from osf.utils.datetime_aware_jsonfield import DateTimeAwareJSONField
 from osf.utils.fields import NonNaiveDateTimeField, ensure_str
 from osf.utils.requests import get_request_and_user_id, string_type_request_headers
@@ -2430,6 +2434,32 @@ def _remove_from_associated_collections(self, auth=None, force=False):
                     force=True
                 )
 
+    def _get_addon_from_gv(self, gv_pk, requesting_user_id):
+        requesting_user = OSFUser.load(requesting_user_id)
+        gv_addon_data = gv_requests.get_addon(
+            gv_addon_pk=gv_pk,
+            requested_resource=self,
+            requesting_user=requesting_user,
+        )
+        return gv_translations.make_ephemeral_node_settings(
+            gv_addon_data=gv_addon_data,
+            requested_resource=self,
+            requesting_user=requesting_user
+        )
+
+    def _get_addons_from_gv(self, requesting_user_id):
+        requesting_user = OSFUser.load(requesting_user_id)
+        all_node_addon_data = gv_requests.iterate_addons_for_resource(
+            requested_resource=self,
+            requesting_user=requesting_user
+        )
+        for addon_data in all_node_addon_data:
+            yield gv_translations.make_ephemeral_node_settings(
+                gv_addon_data=addon_data,
+                requested_resource=self,
+                requesting_user=requesting_user
+            )
+
 
 class NodeUserObjectPermission(UserObjectPermissionBase):
     """
diff --git a/osf/models/preprint.py b/osf/models/preprint.py
index 0a188e9f28b..43f7a56b2ae 100644
--- a/osf/models/preprint.py
+++ b/osf/models/preprint.py
@@ -929,6 +929,8 @@ def serialize_waterbutler_settings(self, provider_name=None):
         Since preprints don't have addons, this method has been pulled over from the
         OSFStorage addon
         """
+        if provider_name and provider_name != 'osfstorage':
+            raise ValueError('Preprints only have access to osfstorage')
         return dict(Region.objects.get(id=self.region_id).waterbutler_settings, **{
             'nid': self._id,
             'rootId': self.root_folder._id,
@@ -945,6 +947,8 @@ def serialize_waterbutler_credentials(self, provider_name=None):
         Since preprints don't have addons, this method has been pulled over from the
         OSFStorage addon
         """
+        if provider_name and provider_name != 'osfstorage':
+            raise ValueError('Preprints only have access to osfstorage')
         return Region.objects.get(id=self.region_id).waterbutler_credentials
 
     def create_waterbutler_log(self, auth, action, payload):
diff --git a/osf/models/user.py b/osf/models/user.py
index d9d7d5db68e..31f1ab48a90 100644
--- a/osf/models/user.py
+++ b/osf/models/user.py
@@ -36,6 +36,10 @@
 from framework.exceptions import PermissionsError
 from framework.sessions.utils import remove_sessions_for_user
 from api.share.utils import update_share
+from osf.external.gravy_valet import (
+    request_helpers as gv_requests,
+    translations as gv_translations,
+)
 from osf.utils.requests import get_current_request
 from osf.exceptions import reraise_django_validation_errors, UserStateError
 from .base import BaseModel, GuidMixin, GuidMixinQuerySet
@@ -1906,6 +1910,34 @@ def check_spam(self, saved_fields, request_headers):
 
         return is_spam
 
+    def _get_addon_from_gv(self, gv_pk, requesting_user_id):
+        requesting_user = OSFUser.load(requesting_user_id)
+        if requesting_user and requesting_user != self:
+            raise ValueError('Cannot get user addons for a user other than self')
+
+        gv_account_data = gv_requests.get_account(
+            gv_account_pk=gv_pk,
+            requesting_user=self,
+        )
+        return gv_translations.make_ephemeral_node_settings(
+            gv_account_data=gv_account_data,
+            requesting_user=self,
+        )
+
+    def _get_addons_from_gv(self, requesting_user_id):
+        requesting_user = OSFUser.load(requesting_user_id)
+        if requesting_user and requesting_user != self:
+            raise ValueError('Cannot get user addons for a user other than self')
+
+        all_user_account_data = gv_requests.iterate_accounts_for_user(
+            requesting_user=self,
+        )
+        for account_data in all_user_account_data:
+            yield gv_translations.make_ephemeral_user_settings(
+                gv_account_data=account_data,
+                requesting_user=self,
+            )
+
     def _validate_admin_status_for_gdpr_delete(self, resource):
         """
         Ensure that deleting the user won't leave the node without an admin.
diff --git a/tests/test_addons.py b/tests/test_addons.py
index 2aae58505e3..333d0373dbe 100644
--- a/tests/test_addons.py
+++ b/tests/test_addons.py
@@ -99,69 +99,66 @@ def test_auth_download(self):
         url = self.build_url()
         res = self.app.get(url, auth=self.user.auth)
         data = jwt.decode(jwe.decrypt(res.json['payload'].encode('utf-8'), self.JWE_KEY), settings.WATERBUTLER_JWT_SECRET, algorithm=settings.WATERBUTLER_JWT_ALGORITHM)['data']
-        assert_equal(data['auth'], views.make_auth(self.user))
-        assert_equal(data['credentials'], self.node_addon.serialize_waterbutler_credentials())
-        assert_equal(data['settings'], self.node_addon.serialize_waterbutler_settings())
+        self.assertEqual(data['auth'], views.make_auth(self.user))
+        self.assertEqual(data['credentials'], self.node_addon.serialize_waterbutler_credentials())
+        self.assertEqual(data['settings'], self.node_addon.serialize_waterbutler_settings())
         expected_url = furl.furl(self.node.api_url_for('create_waterbutler_log', _absolute=True, _internal=True))
         observed_url = furl.furl(data['callback_url'])
         observed_url.port = expected_url.port
-        assert_equal(expected_url, observed_url)
+        self.assertEqual(expected_url, observed_url)
 
     def test_auth_render_action_returns_200(self):
         url = self.build_url(action='render')
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 200)
+        self.assertEqual(res.status_code, 200)
     def test_auth_render_action_requires_read_permission(self):
         node = ProjectFactory(is_public=False)
         url = self.build_url(action='render', nid=node._id)
         res = self.app.get(url, auth=self.user.auth, expect_errors=True)
-        assert_equal(res.status_code, 403)
+        self.assertEqual(res.status_code, 403)
 
     def test_auth_export_action_returns_200(self):
         url = self.build_url(action='export')
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 200)
+        self.assertEqual(res.status_code, 200)
 
     def test_auth_export_action_requires_read_permission(self):
         node = ProjectFactory(is_public=False)
         url = self.build_url(action='export', nid=node._id)
         res = self.app.get(url, auth=self.user.auth, expect_errors=True)
-        assert_equal(res.status_code, 403)
+        self.assertEqual(res.status_code, 403)
 
-    def test_auth_missing_args(self):
-        url = self.build_url(cookie=None)
-        res = self.app.get(url, expect_errors=True)
-        assert_equal(res.status_code, 401)
-
-    def test_auth_bad_cookie(self):
-        url = self.build_url(cookie=self.cookie)
+    def test_auth_cookie(self):
+        url = self.build_url()
+        self.app.set_cookie(name=settings.COOKIE_NAME, value=self.cookie)
         res = self.app.get(url, expect_errors=True)
-        assert_equal(res.status_code, 200)
+        self.assertEqual(res.status_code, 200)
         data = jwt.decode(jwe.decrypt(res.json['payload'].encode('utf-8'), self.JWE_KEY), settings.WATERBUTLER_JWT_SECRET, algorithm=settings.WATERBUTLER_JWT_ALGORITHM)['data']
-        assert_equal(data['auth'], views.make_auth(self.user))
-        assert_equal(data['credentials'], self.node_addon.serialize_waterbutler_credentials())
-        assert_equal(data['settings'], self.node_addon.serialize_waterbutler_settings())
+        self.assertEqual(data['auth'], views.make_auth(self.user))
+        self.assertEqual(data['credentials'], self.node_addon.serialize_waterbutler_credentials())
+        self.assertEqual(data['settings'], self.node_addon.serialize_waterbutler_settings())
         expected_url = furl.furl(self.node.api_url_for('create_waterbutler_log', _absolute=True, _internal=True))
         observed_url = furl.furl(data['callback_url'])
         observed_url.port = expected_url.port
-        assert_equal(expected_url, observed_url)
+        self.assertEqual(expected_url, observed_url)
 
     def test_auth_cookie(self):
-        url = self.build_url(cookie=self.cookie[::-1])
+        url = self.build_url()
+        self.app.set_cookie(name=settings.COOKIE_NAME, value=self.cookie[::-1])
         res = self.app.get(url, expect_errors=True)
-        assert_equal(res.status_code, 401)
+        self.assertEqual(res.status_code, 302) # redirect to CAS if cannot extract cookie
 
     def test_auth_missing_addon(self):
         url = self.build_url(provider='queenhub')
         res = self.app.get(url, expect_errors=True, auth=self.user.auth)
-        assert_equal(res.status_code, 400)
+        self.assertEqual(res.status_code, 400)
 
     @mock.patch('addons.base.views.cas.get_client')
     def test_auth_bad_bearer_token(self, mock_cas_client):
         mock_cas_client.return_value = mock.Mock(profile=mock.Mock(return_value=cas.CasResponse(authenticated=False)))
         url = self.build_url()
         res = self.app.get(url, headers={'Authorization': 'Bearer invalid_access_token'}, expect_errors=True)
-        assert_equal(res.status_code, 403)
+        self.assertEqual(res.status_code, 403)
 
     def test_action_render_marks_version_as_seen(self):
         noncontrib = AuthUserFactory()
@@ -169,7 +166,7 @@ def test_action_render_marks_version_as_seen(self):
         test_file = create_test_file(node, self.user)
         url = self.build_url(nid=node._id, action='render', provider='osfstorage', path=test_file.path)
         res = self.app.get(url, auth=noncontrib.auth)
-        assert_equal(res.status_code, 200)
+        self.assertEqual(res.status_code, 200)
 
         # Add a new version, make sure that does not have a record
         version = FileVersionFactory()
@@ -185,11 +182,11 @@ def test_action_download_contrib(self):
         url = self.build_url(action='download', provider='osfstorage', path=test_file.path, version=1)
         nlogs = self.node.logs.count()
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 200)
+        self.assertEqual(res.status_code, 200)
 
         test_file.reload()
-        assert_equal(test_file.get_download_count(), 0) # contribs don't count as downloads
-        assert_equal(self.node.logs.count(), nlogs) # don't log downloads
+        self.assertEqual(test_file.get_download_count(), 0) # contribs don't count as downloads
+        self.assertEqual(self.node.logs.count(), nlogs) # don't log downloads
 
     def test_action_download_non_contrib(self):
         noncontrib = AuthUserFactory()
@@ -198,22 +195,22 @@ def test_action_download_non_contrib(self):
         url = self.build_url(nid=node._id, action='download', provider='osfstorage', path=test_file.path, version=1)
         nlogs = node.logs.count()
         res = self.app.get(url, auth=noncontrib.auth)
-        assert_equal(res.status_code, 200)
+        self.assertEqual(res.status_code, 200)
 
         test_file.reload()
-        assert_equal(test_file.get_download_count(), 1)
-        assert_equal(node.logs.count(), nlogs) # don't log views
+        self.assertEqual(test_file.get_download_count(), 1)
+        self.assertEqual(node.logs.count(), nlogs) # don't log views
 
     def test_action_download_mfr_views_contrib(self):
         test_file = create_test_file(self.node, self.user)
         url = self.build_url(action='render', provider='osfstorage', path=test_file.path, version=1)
         nlogs = self.node.logs.count()
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 200)
+        self.assertEqual(res.status_code, 200)
 
         test_file.reload()
-        assert_equal(test_file.get_view_count(), 0) # contribs don't count as views
-        assert_equal(self.node.logs.count(), nlogs) # don't log views
+        self.assertEqual(test_file.get_view_count(), 0) # contribs don't count as views
+        self.assertEqual(self.node.logs.count(), nlogs) # don't log views
 
     def test_action_download_mfr_views_non_contrib(self):
         noncontrib = AuthUserFactory()
@@ -222,11 +219,11 @@ def test_action_download_mfr_views_non_contrib(self):
         url = self.build_url(nid=node._id, action='render', provider='osfstorage', path=test_file.path, version=1)
         nlogs = node.logs.count()
         res = self.app.get(url, auth=noncontrib.auth)
-        assert_equal(res.status_code, 200)
+        self.assertEqual(res.status_code, 200)
 
         test_file.reload()
-        assert_equal(test_file.get_view_count(), 1)
-        assert_equal(node.logs.count(), nlogs) # don't log views
+        self.assertEqual(test_file.get_view_count(), 1)
+        self.assertEqual(node.logs.count(), nlogs) # don't log views
 
 
 class TestAddonLogs(OsfTestCase):
@@ -330,10 +327,10 @@ def test_add_log(self, mock_perform):
         nlogs = self.node.logs.count()
         self.app.put_json(url, payload, headers={'Content-Type': 'application/json'})
         self.node.reload()
-        assert_equal(self.node.logs.count(), nlogs + 1)
+        self.assertEqual(self.node.logs.count(), nlogs + 1)
         # # Mocking form_message and perform so that the payload need not be exact.
-        # assert_true(mock_form_message.called, "form_message not called")
-        assert_true(mock_perform.called, 'perform not called')
+        # self.assertTrue(mock_form_message.called, "form_message not called")
+        self.assertTrue(mock_perform.called, 'perform not called')
 
     def test_add_log_missing_args(self):
         path = 'pizza'
@@ -346,9 +343,9 @@ def test_add_log_missing_args(self):
             headers={'Content-Type': 'application/json'},
             expect_errors=True,
         )
-        assert_equal(res.status_code, 400)
+        self.assertEqual(res.status_code, 400)
         self.node.reload()
-        assert_equal(self.node.logs.count(), nlogs)
+        self.assertEqual(self.node.logs.count(), nlogs)
 
     def test_add_log_no_user(self):
         path = 'pizza'
@@ -361,9 +358,9 @@ def test_add_log_no_user(self):
             headers={'Content-Type': 'application/json'},
             expect_errors=True,
         )
-        assert_equal(res.status_code, 400)
+        self.assertEqual(res.status_code, 400)
         self.node.reload()
-        assert_equal(self.node.logs.count(), nlogs)
+        self.assertEqual(self.node.logs.count(), nlogs)
 
     def test_add_log_no_addon(self):
         path = 'pizza'
@@ -377,9 +374,9 @@ def test_add_log_no_addon(self):
             headers={'Content-Type': 'application/json'},
             expect_errors=True,
         )
-        assert_equal(res.status_code, 400)
+        self.assertEqual(res.status_code, 400)
         self.node.reload()
-        assert_equal(node.logs.count(), nlogs)
+        self.assertEqual(node.logs.count(), nlogs)
 
     def test_add_log_bad_action(self):
         path = 'pizza'
@@ -392,9 +389,9 @@ def test_add_log_bad_action(self):
             headers={'Content-Type': 'application/json'},
             expect_errors=True,
         )
-        assert_equal(res.status_code, 400)
+        self.assertEqual(res.status_code, 400)
         self.node.reload()
-        assert_equal(self.node.logs.count(), nlogs)
+        self.assertEqual(self.node.logs.count(), nlogs)
 
     def test_action_file_rename(self):
         url = self.node.api_url_for('create_waterbutler_log')
@@ -426,7 +423,7 @@ def test_action_file_rename(self):
         )
         self.node.reload()
 
-        assert_equal(
+        self.assertEqual(
             self.node.logs.latest().action,
             'github_addon_file_renamed',
         )
@@ -521,10 +518,10 @@ def test_action_downloads_contrib(self):
                 headers={'Content-Type': 'application/json'},
                 expect_errors=False,
             )
-            assert_equal(res.status_code, 200)
+            self.assertEqual(res.status_code, 200)
 
         self.node.reload()
-        assert_equal(self.node.logs.count(), nlogs)
+        self.assertEqual(self.node.logs.count(), nlogs)
 
     def test_add_file_osfstorage_log(self):
         self.configure_osf_addon()
@@ -534,7 +531,7 @@ def test_add_file_osfstorage_log(self):
         nlogs = self.node.logs.count()
         self.app.put_json(url, payload, headers={'Content-Type': 'application/json'})
         self.node.reload()
-        assert_equal(self.node.logs.count(), nlogs + 1)
+        self.assertEqual(self.node.logs.count(), nlogs + 1)
         assert('urls' in self.node.logs.filter(action='osf_storage_file_added')[0].params)
 
     def test_add_log_updates_cache_create(self):
@@ -1012,7 +1009,7 @@ def test_add_folder_osfstorage_log(self):
         nlogs = self.node.logs.count()
         self.app.put_json(url, payload, headers={'Content-Type': 'application/json'})
         self.node.reload()
-        assert_equal(self.node.logs.count(), nlogs + 1)
+        self.assertEqual(self.node.logs.count(), nlogs + 1)
         assert('urls' not in self.node.logs.filter(action='osf_storage_file_added')[0].params)
 
 
@@ -1024,24 +1021,33 @@ def setUp(self):
         self.node = ProjectFactory(creator=self.user)
 
     def test_has_permission(self):
-        res = views.check_resource_permissions(self.node, Auth(user=self.user), 'upload')
-        assert_true(res)
+        self.assertTrue(
+            views._check_resource_permissions(self.node, Auth(user=self.user), 'upload')
+        )
 
     def test_not_has_permission_read_public(self):
         self.node.is_public = True
         self.node.save()
-        views.check_resource_permissions(self.node, Auth(), 'download')
+        self.assertTrue(
+            views._check_resource_permissions(self.node, Auth(), 'download')
+        )
 
     def test_not_has_permission_read_has_link(self):
         link = new_private_link('red-special', self.user, [self.node], anonymous=False)
-        views.check_resource_permissions(self.node, Auth(private_key=link.key), 'download')
+        self.assertTrue(
+            views._check_resource_permissions(self.node, Auth(private_key=link.key), 'download')
+        )
 
     def test_not_has_permission_logged_in(self):
         user2 = AuthUserFactory()
-        assert_false(views.check_resource_permissions(self.node, Auth(user=user2), 'download'))
+        with assert_raises(HTTPError) as exc_info:
+            views._check_resource_permissions(self.node, Auth(user=user2), 'download')
+        self.assertEqual(exc_info.exception.code, 403)
 
     def test_not_has_permission_not_logged_in(self):
-        assert_false(views.check_resource_permissions(self.node, Auth(), 'download'))
+        with assert_raises(HTTPError) as exc_info:
+            views._check_resource_permissions(self.node, Auth(), 'download')
+        self.assertEqual(exc_info.exception.code, 403)
 
     def test_has_permission_on_parent_node_upload_pass_if_registration(self):
         component_admin = AuthUserFactory()
@@ -1050,8 +1056,10 @@ def test_has_permission_on_parent_node_upload_pass_if_registration(self):
 
         component_registration = registration._nodes.first()
 
-        assert_false(component_registration.has_permission(self.user, WRITE))
-        assert_true(views.check_resource_permissions(component_registration, Auth(user=self.user), 'upload'))
+        self.assertFalse(component_registration.has_permission(self.user, WRITE))
+        self.assertTrue(
+            views._check_resource_permissions(component_registration, Auth(user=component_admin), 'upload')
+        )
 
     def test_has_permission_on_parent_node_metadata_pass_if_registration(self):
         component_admin = AuthUserFactory()
@@ -1059,24 +1067,28 @@ def test_has_permission_on_parent_node_metadata_pass_if_registration(self):
 
         component_registration = RegistrationFactory(project=component, creator=component_admin)
 
-        assert_false(component_registration.has_permission(self.user, READ))
-        res = views.check_resource_permissions(component_registration, Auth(user=self.user), 'metadata')
-        assert_true(res)
+        self.assertFalse(component_registration.has_permission(self.user, READ))
+        self.assertTrue(
+            views._check_resource_permissions(component_registration, Auth(user=component_admin), 'metadata')
+        )
 
     def test_has_permission_on_parent_node_upload_fail_if_not_registration(self):
         component_admin = AuthUserFactory()
         component = ProjectFactory(creator=component_admin, parent=self.node)
 
-        assert_false(component.has_permission(self.user, WRITE))
-        assert_false(views.check_resource_permissions(component, Auth(user=self.user), 'upload'))
+        self.assertFalse(component.has_permission(self.user, WRITE))
+        with assert_raises(HTTPError) as exc_info:
+            views._check_resource_permissions(component, Auth(user=self.user), 'upload')
+        self.assertEqual(exc_info.exception.code, 403)
 
     def test_has_permission_on_parent_node_copyfrom(self):
         component_admin = AuthUserFactory()
         component = ProjectFactory(creator=component_admin, is_public=False, parent=self.node)
 
-        assert_false(component.has_permission(self.user, WRITE))
-        res = views.check_resource_permissions(component, Auth(user=self.user), 'copyfrom')
-        assert_true(res)
+        self.assertFalse(component.has_permission(self.user, WRITE))
+        self.assertTrue(
+            views._check_resource_permissions(component, Auth(user=component_admin), 'copyfrom')
+        )
 
 
 class TestCheckOAuth(OsfTestCase):
@@ -1085,110 +1097,52 @@ def setUp(self):
         super(TestCheckOAuth, self).setUp()
         self.user = AuthUserFactory()
         self.node = ProjectFactory(creator=self.user)
+        self.headers_patcher = mock.patch('addons.base.views.request.headers')
+        self.mock_headers = self.headers_patcher.start()
+        self.mock_headers.return_value = {'Authorization': 'Bearer oauth'}
+        self.addCleanup(mock.patch.stopall)
+
+    def tearDown(self):
+        # inherited tearDown blows up if mock is running
+        self.headers_patcher.stop()
+        super().tearDown()
 
-    @mock.patch('framework.auth.cas.parse_auth_header')
     @mock.patch('framework.auth.cas.get_client')
-    def test_has_permission_private_not_authenticated(self, mock_get_client, mock_parse_auth_header):
-        component_admin = AuthUserFactory()
-        component = ProjectFactory(creator=component_admin, is_public=False, parent=self.node)
+    def test_user_has_permission__token_not_authenticated(self, mock_get_client):
         mock_cas_response = cas.CasResponse(authenticated=False)
         mock_get_client.return_value.profile.return_value = mock_cas_response
 
-        self.assertFalse(component.has_permission(self.user, 'write'))
         with self.assertRaises(HTTPError) as context:
-            views.authenticate_via_oauth_bearer_token(component, 'download')
+            views._check_resource_permissions(self.node, Auth(self.user), 'download')
         self.assertEqual(context.exception.code, 403)
 
-    @mock.patch('framework.auth.cas.parse_auth_header')
-    @mock.patch('framework.auth.cas.get_client')
-    def test_has_permission_private_no_scope_forbidden(self, mock_get_client, mock_parse_auth_header):
-        component_admin = AuthUserFactory()
-        component = ProjectFactory(creator=component_admin, is_public=False, parent=self.node)
-        mock_cas_response = cas.CasResponse(authenticated=True, status=None, user=self.user._id,
-                                            attributes={'accessTokenScope': {}})
-        mock_get_client.return_value.profile.return_value = mock_cas_response
+    @mock.patch('addons.base.views._get_token_scopes_from_cas')
+    def test_user_has_permission__token_lacks_scope__write(self, mock_get_scopes):
+        mock_get_scopes.return_value = [self.node.file_read_scope]
+        self.assertTrue(self.node.has_permission(self.user, WRITE))
+        with self.assertRaises(HTTPError) as context:
+            views._check_resource_permissions(self.node, Auth(self.user), 'upload')
+        self.assertEqual(context.exception.code, 403)
 
-        self.assertFalse(component.has_permission(self.user, WRITE))
+    @mock.patch('addons.base.views._get_token_scopes_from_cas')
+    def test_user_has_permission__token_lacks_scope__private_read_forbidden(self, mock_get_scopes):
+        self.node.is_public = False
+        self.node.save()
+        mock_get_scopes.return_value = [self.node.file_write_scope]
+        self.assertTrue(self.node.has_permission(self.user, READ))
         with self.assertRaises(HTTPError) as context:
-            views.authenticate_via_oauth_bearer_token(component, 'download')
+            views._check_resource_permissions(self.node, Auth(self.user), 'download')
         self.assertEqual(context.exception.code, 403)
 
-    @mock.patch('framework.auth.cas.parse_auth_header')
-    @mock.patch('framework.auth.cas.get_client')
-    def test_has_permission_public_irrelevant_scope_allowed(self, mock_get_client, mock_parse_auth_header):
-        component_admin = AuthUserFactory()
-        component = ProjectFactory(
-            creator=component_admin,
-            is_public=True,
-            parent=self.node
-        )
-        mock_cas_response = cas.CasResponse(
-            authenticated=True,
-            status=None,
-            user=self.user._id,
-            attributes={'accessTokenScope': {'osf.users.all_read'}}
+    @mock.patch('addons.base.views._get_token_scopes_from_cas')
+    def test_user_has_permission__token_lacks_scope__public_read_allowed(self, mock_get_scopes):
+        self.node.is_public = True
+        self.node.save()
+        mock_get_scopes.return_value = []
+        self.assertTrue(self.node.has_permission(self.user, READ))
+        self.assertTrue(
+            views._check_resource_permissions(self.node, Auth(self.user), 'download')
         )
-        mock_get_client.return_value.profile.return_value = mock_cas_response
-
-        self.assertFalse(component.has_permission(self.user, WRITE))
-        result = views.authenticate_via_oauth_bearer_token(component, 'download')
-        self.assertTrue(result)
-
-    @mock.patch('framework.auth.cas.parse_auth_header')
-    @mock.patch('framework.auth.cas.get_client')
-    def test_has_permission_private_irrelevant_scope_forbidden(self, mock_get_client, mock_parse_auth_header):
-        component_admin = AuthUserFactory()
-        component = ProjectFactory(creator=component_admin, is_public=False, parent=self.node)
-        mock_cas_response = cas.CasResponse(authenticated=True, status=None, user=self.user._id,
-                                   attributes={'accessTokenScope': {'osf.users.all_read'}})
-        mock_get_client.return_value.profile.return_value = mock_cas_response
-
-        assert_false(component.has_permission(self.user, WRITE))
-        with assert_raises(HTTPError) as exc_info:
-            views.authenticate_via_oauth_bearer_token(component, 'download')
-        assert_equal(exc_info.exception.code, 403)
-
-    @mock.patch('framework.auth.cas.parse_auth_header')
-    @mock.patch('framework.auth.cas.get_client')
-    def test_has_permission_decommissioned_scope_no_error(self, mock_get_client, mock_parse_auth_header):
-        component_admin = AuthUserFactory()
-        component = ProjectFactory(creator=component_admin, is_public=False, parent=self.node)
-        mock_cas_response = cas.CasResponse(authenticated=True, status=None, user=self.user._id,
-                                   attributes={'accessTokenScope': {
-                                       'decommissioned.scope+write',
-                                       'osf.nodes.data_read',
-                                   }})
-        mock_get_client.return_value.profile.return_value = mock_cas_response
-
-        assert_false(component.has_permission(self.user, WRITE))
-        res = views.authenticate_via_oauth_bearer_token(component, 'download')
-        assert_true(res)
-
-    @mock.patch('framework.auth.cas.parse_auth_header')
-    @mock.patch('framework.auth.cas.get_client')
-    def test_has_permission_write_scope_read_action(self, mock_get_client, mock_parse_auth_header):
-        component_admin = AuthUserFactory()
-        component = ProjectFactory(creator=component_admin, is_public=False, parent=self.node)
-        mock_cas_response = cas.CasResponse(authenticated=True, status=None, user=self.user._id,
-                                   attributes={'accessTokenScope': {'osf.nodes.data_write'}})
-        mock_get_client.return_value.profile.return_value = mock_cas_response
-
-        assert_false(component.has_permission(self.user, WRITE))
-        res = views.authenticate_via_oauth_bearer_token(component, 'download')
-        assert_true(res)
-
-    @mock.patch('framework.auth.cas.parse_auth_header')
-    @mock.patch('framework.auth.cas.get_client')
-    def test_has_permission_read_scope_write_action_forbidden(self, mock_get_client, mock_parse_auth_header):
-        component = ProjectFactory(creator=self.user, is_public=False, parent=self.node)
-        mock_cas_response = cas.CasResponse(authenticated=True, status=None, user=self.user._id,
-                                   attributes={'accessTokenScope': {'osf.nodes.data_read'}})
-        mock_get_client.return_value.profile.return_value = mock_cas_response
-
-        assert_true(component.has_permission(self.user, WRITE))
-        with assert_raises(HTTPError) as exc_info:
-            views.authenticate_via_oauth_bearer_token(component, 'upload')
-        assert_equal(exc_info.exception.code, 403)
 
 
 def assert_urls_equal(url1, url2):
@@ -1351,8 +1305,8 @@ def test_redirects_to_guid(self):
             auth=self.user.auth
         )
 
-        assert_equals(resp.status_code, 302)
-        assert_equals(resp.location, 'http://localhost/{}/'.format(guid._id))
+        self.assertEqual(resp.status_code, 302)
+        self.assertEqual(resp.location, 'http://localhost/{}/'.format(guid._id))
 
     def test_action_download_redirects_to_download_with_param(self):
         file_node = self.get_test_file()
@@ -1360,7 +1314,7 @@ def test_action_download_redirects_to_download_with_param(self):
 
         resp = self.app.get('/{}/?action=download'.format(guid._id), auth=self.user.auth)
 
-        assert_equals(resp.status_code, 302)
+        self.assertEqual(resp.status_code, 302)
         location = furl.furl(resp.location)
         assert_urls_equal(location.url, file_node.generate_waterbutler_url(action='download', direct=None, version=''))
 
@@ -1370,9 +1324,9 @@ def test_action_download_redirects_to_download_with_path(self):
 
         resp = self.app.get('/{}/download?format=pdf'.format(guid._id), auth=self.user.auth)
 
-        assert_equals(resp.status_code, 302)
+        self.assertEqual(resp.status_code, 302)
         location = furl.furl(resp.location)
-        assert_equal(location.url, file_node.generate_waterbutler_url(format='pdf', action='download', direct=None, version=''))
+        self.assertEqual(location.url, file_node.generate_waterbutler_url(format='pdf', action='download', direct=None, version=''))
 
 
     def test_action_download_redirects_to_download_with_path_uppercase(self):
@@ -1381,9 +1335,9 @@ def test_action_download_redirects_to_download_with_path_uppercase(self):
 
         resp = self.app.get('/{}/download?format=pdf'.format(guid._id), auth=self.user.auth)
 
-        assert_equals(resp.status_code, 302)
+        self.assertEqual(resp.status_code, 302)
         location = furl.furl(resp.location)
-        assert_equal(location.url, file_node.generate_waterbutler_url( format='pdf', action='download', direct=None, version=''))
+        self.assertEqual(location.url, file_node.generate_waterbutler_url( format='pdf', action='download', direct=None, version=''))
 
     def test_action_download_redirects_to_download_with_version(self):
         file_node = self.get_test_file()
@@ -1391,7 +1345,7 @@ def test_action_download_redirects_to_download_with_version(self):
 
         resp = self.app.get('/{}/?action=download&revision=1'.format(guid._id), auth=self.user.auth)
 
-        assert_equals(resp.status_code, 302)
+        self.assertEqual(resp.status_code, 302)
         location = furl.furl(resp.location)
         # Note: version is added but us but all other url params are added as well
         assert_urls_equal(location.url, file_node.generate_waterbutler_url(action='download', direct=None, revision=1, version=''))
@@ -1409,9 +1363,9 @@ def test_action_view_calls_view_file(self, mock_ember):
             self.app.get(f'/{guid._id}/?action=view', auth=self.user.auth)
 
         args, kwargs = mock_ember.call_args
-        assert_equals(kwargs, {})
-        assert_equals(args[0], EXTERNAL_EMBER_APPS['ember_osf_web']['server'])
-        assert_equals(args[1], EXTERNAL_EMBER_APPS['ember_osf_web']['path'].rstrip('/'))
+        self.assertEqual(kwargs, {})
+        self.assertEqual(args[0], EXTERNAL_EMBER_APPS['ember_osf_web']['server'])
+        self.assertEqual(args[1], EXTERNAL_EMBER_APPS['ember_osf_web']['path'].rstrip('/'))
 
     @mock.patch('website.views.stream_emberapp')
     @pytest.mark.enable_bookmark_creation
@@ -1426,9 +1380,9 @@ def test_no_action_calls_view_file(self, mock_ember):
             self.app.get(f'/{guid._id}/', auth=self.user.auth)
 
         args, kwargs = mock_ember.call_args
-        assert_equals(kwargs, {})
-        assert_equals(args[0], EXTERNAL_EMBER_APPS['ember_osf_web']['server'])
-        assert_equals(args[1], EXTERNAL_EMBER_APPS['ember_osf_web']['path'].rstrip('/'))
+        self.assertEqual(kwargs, {})
+        self.assertEqual(args[0], EXTERNAL_EMBER_APPS['ember_osf_web']['server'])
+        self.assertEqual(args[1], EXTERNAL_EMBER_APPS['ember_osf_web']['path'].rstrip('/'))
 
     def test_download_create_guid(self):
         file_node = self.get_test_file()
@@ -1443,7 +1397,7 @@ def test_download_create_guid(self):
             auth=self.user.auth
         )
 
-        assert_true(file_node.get_guid())
+        self.assertTrue(file_node.get_guid())
 
     @pytest.mark.enable_bookmark_creation
     def test_view_file_does_not_delete_file_when_requesting_invalid_version(self):
@@ -1483,7 +1437,7 @@ def test_unauthorized_addons_raise(self):
             expect_errors=True
         )
 
-        assert_equals(resp.status_code, 401)
+        self.assertEqual(resp.status_code, 401)
 
     def test_nonstorage_addons_raise(self):
         resp = self.app.get(
@@ -1497,7 +1451,7 @@ def test_nonstorage_addons_raise(self):
             expect_errors=True
         )
 
-        assert_equals(resp.status_code, 400)
+        self.assertEqual(resp.status_code, 400)
 
     @mock.patch('website.views.stream_emberapp')
     def test_head_returns_url_and_redriect(self, mock_ember):
@@ -1506,12 +1460,12 @@ def test_head_returns_url_and_redriect(self, mock_ember):
 
         with override_flag(features.EMBER_FILE_PROJECT_DETAIL, active=True):
             resp = self.app.head('/{}/'.format(guid._id), auth=self.user.auth)
-        assert_equals(resp.status_code, 200)
+        self.assertEqual(resp.status_code, 200)
 
         args, kwargs = mock_ember.call_args
-        assert_equals(kwargs, {})
-        assert_equals(args[0], EXTERNAL_EMBER_APPS['ember_osf_web']['server'])
-        assert_equals(args[1], EXTERNAL_EMBER_APPS['ember_osf_web']['path'].rstrip('/'))
+        self.assertEqual(kwargs, {})
+        self.assertEqual(args[0], EXTERNAL_EMBER_APPS['ember_osf_web']['server'])
+        self.assertEqual(args[1], EXTERNAL_EMBER_APPS['ember_osf_web']['path'].rstrip('/'))
 
 
     def test_head_returns_url_with_version_and_redirect(self):
@@ -1521,7 +1475,7 @@ def test_head_returns_url_with_version_and_redirect(self):
         resp = self.app.head('/{}/?revision=1&foo=bar'.format(guid._id), auth=self.user.auth)
         location = furl.furl(resp.location)
         # Note: version is added but us but all other url params are added as well
-        assert_equals(resp.status_code, 302)
+        self.assertEqual(resp.status_code, 302)
         assert_urls_equal(location.url, file_node.generate_waterbutler_url(direct=None, revision=1, version='', foo='bar'))
 
     def test_nonexistent_addons_raise(self):
@@ -1540,7 +1494,7 @@ def test_nonexistent_addons_raise(self):
             expect_errors=True
         )
 
-        assert_equals(resp.status_code, 400)
+        self.assertEqual(resp.status_code, 400)
 
     def test_unauth_addons_raise(self):
         path = 'cloudfiles'
@@ -1558,7 +1512,7 @@ def test_unauth_addons_raise(self):
             expect_errors=True
         )
 
-        assert_equals(resp.status_code, 401)
+        self.assertEqual(resp.status_code, 401)
 
     def test_resolve_folder_raise(self):
         folder = OsfStorageFolder(
@@ -1578,7 +1532,7 @@ def test_resolve_folder_raise(self):
             expect_errors=True
         )
 
-        assert_equals(resp.status_code, 400)
+        self.assertEqual(resp.status_code, 400)
 
     def test_delete_action_creates_trashed_file_node(self):
         file_node = self.get_test_file()
@@ -1590,8 +1544,8 @@ def test_delete_action_creates_trashed_file_node(self):
             }
         }
         views.addon_delete_file_node(self=None, target=self.project, user=self.user, event_type='file_removed', payload=payload)
-        assert_false(GithubFileNode.load(file_node._id))
-        assert_true(TrashedFileNode.load(file_node._id))
+        self.assertFalse(GithubFileNode.load(file_node._id))
+        self.assertTrue(TrashedFileNode.load(file_node._id))
 
     def test_delete_action_for_folder_deletes_subfolders_and_creates_trashed_file_nodes(self):
         file_node = self.get_test_file()
@@ -1610,8 +1564,8 @@ def test_delete_action_for_folder_deletes_subfolders_and_creates_trashed_file_no
             }
         }
         views.addon_delete_file_node(self=None, target=self.project, user=self.user, event_type='file_removed', payload=payload)
-        assert_false(GithubFileNode.load(subfolder._id))
-        assert_true(TrashedFileNode.load(file_node._id))
+        self.assertFalse(GithubFileNode.load(subfolder._id))
+        self.assertTrue(TrashedFileNode.load(file_node._id))
 
     @mock.patch('website.archiver.tasks.archive')
     def test_archived_from_url(self, mock_archive):
@@ -1627,7 +1581,7 @@ def test_archived_from_url(self, mock_archive):
 
         archived_from_url = views.get_archived_from_url(registered_node, file_node)
         view_url = self.project.web_url_for('addon_view_or_download_file', provider=file_node.provider, path=file_node.copied_from._id)
-        assert_true(archived_from_url)
+        self.assertTrue(archived_from_url)
         assert_urls_equal(archived_from_url, view_url)
 
     @mock.patch('website.archiver.tasks.archive')
@@ -1640,7 +1594,7 @@ def test_archived_from_url_without_copied_from(self, mock_archive):
             draft_registration=DraftRegistrationFactory(branched_from=self.project),
         )
         archived_from_url = views.get_archived_from_url(registered_node, file_node)
-        assert_false(archived_from_url)
+        self.assertFalse(archived_from_url)
 
     @mock.patch('website.archiver.tasks.archive')
     def test_copied_from_id_trashed(self, mock_archive):
@@ -1653,7 +1607,7 @@ def test_copied_from_id_trashed(self, mock_archive):
             draft_registration=DraftRegistrationFactory(branched_from=self.project),
         )
         trashed_node = second_file_node.delete()
-        assert_false(trashed_node.copied_from)
+        self.assertFalse(trashed_node.copied_from)
 
     @mock.patch('website.archiver.tasks.archive')
     def test_missing_modified_date_in_file_data(self, mock_archive):
@@ -1664,8 +1618,8 @@ def test_missing_modified_date_in_file_data(self, mock_archive):
             'modified': None
         }
         file_node.update(revision=None, data=file_data)
-        assert_equal(len(file_node.history), 1)
-        assert_equal(file_node.history[0], file_data)
+        self.assertEqual(len(file_node.history), 1)
+        self.assertEqual(file_node.history[0], file_data)
 
     @mock.patch('website.archiver.tasks.archive')
     def test_missing_modified_date_in_file_history(self, mock_archive):
@@ -1677,8 +1631,8 @@ def test_missing_modified_date_in_file_history(self, mock_archive):
             'modified': None
         }
         file_node.update(revision=None, data=file_data)
-        assert_equal(len(file_node.history), 2)
-        assert_equal(file_node.history[1], file_data)
+        self.assertEqual(len(file_node.history), 2)
+        self.assertEqual(file_node.history[1], file_data)
 
     @with_sentry
     @mock.patch('framework.sentry.sentry.captureMessage')
@@ -1717,7 +1671,7 @@ def setUp(self):
     def test_view_file_redirect(self):
         url = '/{0}/osffiles/{1}/'.format(self.project._id, self.path)
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 301)
+        self.assertEqual(res.status_code, 301)
         expected_url = self.project.web_url_for(
             'addon_view_or_download_file',
             action='view',
@@ -1729,7 +1683,7 @@ def test_view_file_redirect(self):
     def test_download_file_redirect(self):
         url = '/{0}/osffiles/{1}/download/'.format(self.project._id, self.path)
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 301)
+        self.assertEqual(res.status_code, 301)
         expected_url = self.project.web_url_for(
             'addon_view_or_download_file',
             path=self.expected_path,
@@ -1744,7 +1698,7 @@ def test_download_file_version_redirect(self):
             self.path,
         )
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 301)
+        self.assertEqual(res.status_code, 301)
         expected_url = self.project.web_url_for(
             'addon_view_or_download_file',
             version=3,
@@ -1757,7 +1711,7 @@ def test_download_file_version_redirect(self):
     def test_api_download_file_redirect(self):
         url = '/api/v1/project/{0}/osffiles/{1}/'.format(self.project._id, self.path)
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 301)
+        self.assertEqual(res.status_code, 301)
         expected_url = self.project.web_url_for(
             'addon_view_or_download_file',
             path=self.expected_path,
@@ -1772,7 +1726,7 @@ def test_api_download_file_version_redirect(self):
             self.path,
         )
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 301)
+        self.assertEqual(res.status_code, 301)
         expected_url = self.project.web_url_for(
             'addon_view_or_download_file',
             version=3,
@@ -1788,7 +1742,7 @@ def test_no_provider_name(self):
             self.path,
         )
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 301)
+        self.assertEqual(res.status_code, 301)
         expected_url = self.project.web_url_for(
             'addon_view_or_download_file',
             action='view',
@@ -1804,7 +1758,7 @@ def test_action_as_param(self):
             self.path,
         )
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 301)
+        self.assertEqual(res.status_code, 301)
         expected_url = self.project.web_url_for(
             'addon_view_or_download_file',
             path=self.expected_path,
@@ -1819,7 +1773,7 @@ def test_other_addon_redirect(self):
             self.path,
         )
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 301)
+        self.assertEqual(res.status_code, 301)
         expected_url = self.project.web_url_for(
             'addon_view_or_download_file',
             action='view',
@@ -1834,7 +1788,7 @@ def test_other_addon_redirect_download(self):
             self.path,
         )
         res = self.app.get(url, auth=self.user.auth)
-        assert_equal(res.status_code, 301)
+        self.assertEqual(res.status_code, 301)
         expected_url = self.project.web_url_for(
             'addon_view_or_download_file',
             path=self.path,
diff --git a/tests/test_preprints.py b/tests/test_preprints.py
index a78f9f37141..4d7184eff73 100644
--- a/tests/test_preprints.py
+++ b/tests/test_preprints.py
@@ -2069,7 +2069,7 @@ def build_url(self, **kwargs):
         return self.preprint.api_url_for('get_auth', **options)
 
     def test_auth_download(self):
-        url = self.build_url(cookie=self.cookie)
+        url = self.build_url()
         res = self.app.get(url, auth=Auth(user=self.user))
         data = jwt.decode(jwe.decrypt(res.json['payload'].encode('utf-8'), self.JWE_KEY), settings.WATERBUTLER_JWT_SECRET, algorithm=settings.WATERBUTLER_JWT_ALGORITHM)['data']
         assert_equal(data['credentials'], self.preprint.serialize_waterbutler_credentials())
@@ -2088,41 +2088,59 @@ def setUp(self):
         self.preprint = PreprintFactory(creator=self.user)
 
     def test_has_permission(self):
-        res = views.check_resource_permissions(self.preprint, Auth(user=self.user), 'upload')
+        res = views._check_resource_permissions(self.preprint, Auth(user=self.user), 'upload')
         assert_true(res)
 
     def test_not_has_permission_read_published(self):
-        res = views.check_resource_permissions(self.preprint, Auth(), 'download')
+        res = views._check_resource_permissions(self.preprint, Auth(), 'download')
         assert_true(res)
 
     def test_not_has_permission_logged_in(self):
         user2 = AuthUserFactory()
         self.preprint.is_published = False
         self.preprint.save()
-        assert_false(views.check_resource_permissions(self.preprint, Auth(user=user2), 'download'))
+        with assert_raises(HTTPError) as exc_info:
+            views._check_resource_permissions(self.preprint, Auth(user=user2), 'download')
+        self.assertEqual(exc_info.exception.code, 403)
 
     def test_not_has_permission_not_logged_in(self):
         self.preprint.is_published = False
         self.preprint.save()
-        assert_false(views.check_resource_permissions(self.preprint, Auth(), 'download'))
+        with assert_raises(HTTPError) as exc_info:
+            views._check_resource_permissions(self.preprint, Auth(), 'download')
+        self.assertEqual(exc_info.exception.code, 403)
 
-    def test_check_access_withdrawn_preprint_file(self):
+    def test_check_access_withdrawn_preprint_file__unauthenticated(self):
         self.preprint.date_withdrawn = timezone.now()
         self.preprint.save()
         # Unauthenticated
-        assert_false(views.check_resource_permissions(self.preprint, Auth(), 'download'))
+        with assert_raises(HTTPError) as exc_info:
+            views._check_resource_permissions(self.preprint, Auth(), 'download')
+        self.assertEqual(exc_info.exception.code, 403)
 
-        # Noncontributor
-        user2 = AuthUserFactory()
-        assert_false(views.check_resource_permissions(self.preprint, Auth(user2), 'download'))
-
-        # Read contributor
-        self.preprint.add_contributor(user2, READ, save=True)
-        assert_false(views.check_resource_permissions(self.preprint, Auth(user2), 'download'))
+    def test_check_access_withdrawn_preprint_file__noncontributor(self):
+        self.preprint.date_withdrawn = timezone.now()
+        self.preprint.save()
+        noncontrib = AuthUserFactory()
+        with assert_raises(HTTPError) as exc_info:
+            views._check_resource_permissions(self.preprint, Auth(user=noncontrib), 'download')
+        self.assertEqual(exc_info.exception.code, 403)
 
-        # Admin contributor
-        assert_false(views.check_resource_permissions(self.preprint, Auth(self.user), 'download'))
+    def test_check_access_withdrawn_preprint_file__read_user(self):
+        self.preprint.date_withdrawn = timezone.now()
+        self.preprint.save()
+        read_user = AuthUserFactory()
+        self.preprint.add_contributor(read_user, READ, save=True)
+        with assert_raises(HTTPError) as exc_info:
+            views._check_resource_permissions(self.preprint, Auth(user=read_user), 'download')
+        self.assertEqual(exc_info.exception.code, 403)
 
+    def test_check_access_withdrawn_preprint_file__admin_user(self):
+        self.preprint.date_withdrawn = timezone.now()
+        self.preprint.save()
+        with assert_raises(HTTPError) as exc_info:
+            views._check_resource_permissions(self.preprint, Auth(user=self.user), 'download')
+        self.assertEqual(exc_info.exception.code, 403)
 
 
 class TestPreprintOsfStorageLogs(OsfTestCase):
diff --git a/tests/test_utils.py b/tests/test_utils.py
index 689f937e7ce..f608d4eceab 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -25,6 +25,7 @@
 from framework.routing import Rule, json_renderer
 from framework.utils import secure_filename, throttle_period_expired
 from api.base.utils import waterbutler_api_url_for
+from osf_tests.external.gravy_valet.gv_fakes import FakeGravyValet
 from osf.utils.functional import rapply
 from waffle.testutils import override_flag
 from website.routes import process_rules, OsfWebRenderer
@@ -569,7 +570,10 @@ def test_publish_body_on_merger(
     ):
         with mock.patch.object(settings, 'USE_CELERY', True):
             with override_flag(features.ENABLE_GV, active=True):
-                user.merge_user(old_user)
+                fake_gv = FakeGravyValet()
+                fake_gv._get_or_create_user_entry(old_user)
+                with fake_gv.run_fake():
+                    user.merge_user(old_user)
 
         mock_publish_user_status_change().__enter__().publish.assert_called_once_with(
             body={
@@ -579,4 +583,4 @@ def test_publish_body_on_merger(
             },
             exchange=account_status_changes_exchange,
             serializer='json',
-        )
\ No newline at end of file
+        )

From 1eeb452f5fdecd2e7a0eb2d12685d1dbe011414b Mon Sep 17 00:00:00 2001
From: Jon Walz <walzj@COSs-MBP.lan>
Date: Fri, 12 Jul 2024 11:34:19 -0400
Subject: [PATCH 10/11] Resolve conflicts

---
 api/nodes/views.py | 60 +++++++++++++++++++++++++++++++++-------------
 1 file changed, 44 insertions(+), 16 deletions(-)

diff --git a/api/nodes/views.py b/api/nodes/views.py
index dae613cf868..6d36068c2a9 100644
--- a/api/nodes/views.py
+++ b/api/nodes/views.py
@@ -1,4 +1,7 @@
 import re
+import typing
+
+import dataclasses
 
 from distutils.version import StrictVersion
 from django.apps import apps
@@ -1471,28 +1474,53 @@ def get_queryset(self):
             raise HTTP_CODE_MAP.get(exc.code, exc)
 
 
-class NodeStorageProvider(object):
+@dataclasses.dataclass
+class NodeStorageProvider:
+
+    resource: typing.Any
+    provider_name: str = None
+    provider_settings: typing.Any = None  # NodeSettings or EphemeralSettings
+    path: str = '/'
+    kind: str = 'folder'
 
-    def __init__(self, node, provider_name, storage_addon=None):
-        self.path = '/'
-        self.node = node
-        self.kind = 'folder'
-        self.name = provider_name
-        self.provider = provider_name
-        self.node_id = node._id
-        self.pk = node._id
-        self.id = node.id
-        self.root_folder = self._get_root_folder(storage_addon)
+    @property
+    def node(self):
+        return self.resource
 
     @property
     def target(self):
-        return self.node
+        return self.resource
+
+    @property
+    def provider(self):
+        return self.provider_name or self.provider_settings.short_name
+
+    @property
+    def name(self):
+        if self.provider_settings:
+            return self.provider_settings.display_name
+        return self.provider_name
+
+    @property
+    def node_id(self):
+        return self.resource._id
+
+    @property
+    def pk(self):
+        return self.resource._id
+
+    @property
+    def id(self):
+        return self.resource.id
 
-    def _get_root_folder(self, storage_addon):
-        if isinstance(self.target, Preprint):
+    @property
+    def root_folder(self):
+        if isinstance(self.resource, Preprint):
             return self.target.root_folder
-        else:
-            return storage_addon.root_node if storage_addon else None
+        if self.provider_settings:
+            return self.provider_settings.root_node
+        return None
+
 
 class NodeStorageProvidersList(JSONAPIBaseView, generics.ListAPIView, NodeMixin):
     """The documentation for this endpoint can be found [here](https://developer.osf.io/#operation/nodes_providers_list).

From 7c2497706666de0058503b16955784227b4bb78e Mon Sep 17 00:00:00 2001
From: Jon Walz <walzj@COSs-MBP.lan>
Date: Mon, 15 Jul 2024 10:24:08 -0400
Subject: [PATCH 11/11] Fix File Detail tests

---
 api_tests/files/views/test_file_detail.py | 45 +++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/api_tests/files/views/test_file_detail.py b/api_tests/files/views/test_file_detail.py
index 14b95016e36..7b40be30d4c 100644
--- a/api_tests/files/views/test_file_detail.py
+++ b/api_tests/files/views/test_file_detail.py
@@ -31,6 +31,9 @@
 
 SessionStore = import_module(django_conf_settings.SESSION_ENGINE).SessionStore
 
+from addons.base.views import _get_authenticated_resource
+from framework.exceptions import HTTPError
+
 # stolen from^W^Winspired by DRF
 # rest_framework.fields.DateTimeField.to_representation
 def _dt_to_iso8601(value):
@@ -705,6 +708,48 @@ def test_load_and_property(self, app, user, file):
             expect_errors=True, auth=user.auth,
         ).status_code == 405
 
+    def test_retracted_file_returns_410(self, app, user, file_url, file):
+        resource = RegistrationFactory(is_public=True)
+        retraction = resource.retract_registration(
+            user=resource.creator,
+            justification='Justification for retraction',
+            save=True,
+            moderator_initiated=False
+        )
+
+        retraction.accept()
+        resource.save()
+        resource.refresh_from_db()
+
+        file.target = resource
+        file.save()
+
+        res = app.get(file_url, auth=user.auth, expect_errors=True)
+        assert res.status_code == 410
+
+    def test_get_authenticated_resource_retracted(self):
+        resource = RegistrationFactory(is_public=True)
+
+        assert resource.is_retracted is False
+
+        retraction = resource.retract_registration(
+            user=resource.creator,
+            justification='Justification for retraction',
+            save=True,
+            moderator_initiated=False
+        )
+
+        retraction.accept()
+        resource.save()
+        resource.refresh_from_db()
+
+        assert resource.is_retracted is True
+
+        with pytest.raises(HTTPError) as excinfo:
+            _get_authenticated_resource(resource._id)
+
+        assert excinfo.value.code == 410
+
 
 @pytest.mark.django_db
 class TestFileTagging: