[24.0] Fix authentication error for anonymous users querying jobs #18333
Conversation
🔍 Existing Issues For ReviewYour pull request is modifying functions with the following pre-existing issues: 📄 File: lib/galaxy/managers/jobs.py
📄 File: lib/galaxy/webapps/galaxy/services/jobs.py (Click to Expand)
Did you find this useful? React with a 👍 or 👎 |
lib/galaxy/managers/jobs.py
Outdated
| @@ -111,6 +112,8 @@ def index_query(self, trans, payload: JobIndexQueryPayload) -> sqlalchemy.engine | |||
| Otherwise this will only return the user's jobs or all jobs if the requesting | |||
| user is acting as an admin. | |||
| """ | |||
| if trans.user is None: | |||
There was a problem hiding this comment.
Can we instead query the jobs using the session id or current session history ? I think there's no reason anon user can't see their jobs
There was a problem hiding this comment.
Sure! I forgot there was a way to differentiate jobs from other anonymous users. I'll give it a try 👍
There was a problem hiding this comment.
I tried to write an API or selenium test but I couldn't figure out how to use the session. I manually tested and seems to work though.
davelopez
force-pushed
the
24.0_fix_500_for_anonymous_job_listing
branch
from
3370b23
to
2e91272
Compare
Co-authored-by: Nicola Soranzo <nicola.soranzo@earlham.ac.uk>
| if trans.galaxy_session and trans.galaxy_session.current_history_id: | ||
| history_id = trans.galaxy_session.current_history_id | ||
| else: | ||
| return None |
There was a problem hiding this comment.
I'm wondering if we should raise an AuthenticationRequired exception here instead, so the error is not hidden from the user.
There was a problem hiding this comment.
This is not an error, if a session doesn't have a history it also doesn't have any jobs.
There was a problem hiding this comment.
But None is returned also is trans.galaxy_session is None.
There was a problem hiding this comment.
You could as well query some public thing, like jobs belonging to a history, raising an exception here feels very unpredictable.
There was a problem hiding this comment.
Then I don't understand the changes in lines 131-133 above: if we want a session-less user to be able to view public history jobs, we should overwrite history_id only when it's None .
There was a problem hiding this comment.
That is a good point, we might want to instead filter on the job itself using the session id.
There was a problem hiding this comment.
If history_id is passed in the API payload, the job's history accessibility is checked on the jobs returned by this method at
There was a problem hiding this comment.
Thanks for the catch! I'll follow up with the proposed change 👍
Fixes #18331
I added the check at the API level (to fail fast) and at the manager level in case it gets called from somewhere else.
How to test the changes?
License