Create REST endpoint for POSTing job models #2031
Conversation
|
@zachmullen can you comment on whether or not this is the right/best approach? thanks! |
|
See: #2018 |
|
btw, I found this to be a little bit confusing - i expected when setting However, because ensureTokenScopes returns immediately if the user is logged in, it effectively means a logged in user has ALL custom scopes defined. I didn't see a built-in way to handle a situation where i wanted to protect an endpoint with a custom scope regardless of user authentication status. |
plugins/jobs/server/job_rest.py
Outdated
| @filtermodel(model='job', plugin='jobs') | ||
| @access.token(scope=constants.REST_CREATE_JOB_TOKEN_SCOPE) | ||
| @autoDescribeRoute( | ||
| Description('Create a job model via a RESTful endpoint') |
There was a problem hiding this comment.
No need to put "via a RESTful endpoint" :)
plugins/jobs/server/__init__.py
Outdated
|
|
||
| def load(info): | ||
| info['apiRoot'].job = job_rest.Job() | ||
| events.bind('rest.post.job.before', 'jobs', _authorizeRestJobCreation) |
There was a problem hiding this comment.
Since this is all in the same plugin, let's just move this logic into the REST route handler itself. That will improve readability via lexical proximity of the logic, and won't preclude behavioral modification by downstreams.
plugins/jobs/server/__init__.py
Outdated
| if not tokenModel.hasScope(token, constants.REST_CREATE_JOB_TOKEN_SCOPE): | ||
| raise AccessException( | ||
| 'Invalid token scope.\n' | ||
| 'Required: %s.\n' % (constants.REST_CREATE_JOB_TOKEN_SCOPE)) |
There was a problem hiding this comment.
This pattern appears in a few places, it's probably worth adding a standardized requireScope method into the token model that raises an exception like this.
There was a problem hiding this comment.
Would this also help with the recent issue we found where invalidly scoped tokens were throwing 401s and saying "not logged in" when really it was the case that the token didn't have the correct scope? If we can improve that error handling as a part of this PR that would be rad.
There was a problem hiding this comment.
It wouldn't help with that particular case. I'm not actually sure how to engineer a solution for that at this time.
plugins/jobs/server/models/job.py
Outdated
| from girder.plugins.jobs.constants import JobStatus, JOB_HANDLER_LOCAL | ||
| from girder.plugins.jobs.constants import (JobStatus, | ||
| JOB_HANDLER_LOCAL, | ||
| REST_CREATE_JOB_TOKEN_SCOPE) |
There was a problem hiding this comment.
This change doesn't seem necessary.
Right, that's the behavior we use to support OAuth-provider-like authorization control. One way to support these sorts of use cases is to add another flag to the access decorators, e.g. The |
dorukozturk
force-pushed
the
create-worker-job-model
branch
from
68143ea
to
8cf5ff2
Compare
Does not allow posting unless jobs.rest.create_job is set as a scope on the token. This is set automatically when using createJobToken()
dorukozturk
force-pushed
the
create-worker-job-model
branch
2 times, most recently
from
db04b3c
to
0287f0a
Compare
dorukozturk
changed the title
|
@kotfic, @zachmullen This is ready for a review. |
girder/models/token.py
Outdated
|
|
||
| if not self.hasScope(token, scope): | ||
| raise AccessException('Invalid token scope.' | ||
| 'Required: %s.' % (scope)) |
There was a problem hiding this comment.
I think we can fit this all on one line, but if not, we'll need to add a space between the sentences.
plugins/jobs/server/job_rest.py
Outdated
| Description('Create a job model') | ||
| .param('title', '', required=True) | ||
| .param('type', '', required=True) | ||
| .modelParam('parentId', 'Id of the parent job.', model='job', |
There was a problem hiding this comment.
In user-facing text, we should use "ID" rather than "Id".
There was a problem hiding this comment.
@zachmullen I applied those changes.
dorukozturk
force-pushed
the
create-worker-job-model
branch
from
76574a0
to
0ccf574
Compare
Does not allow posting to
/jobunless jobs.rest.create_job is set as a scopeon the current token - regardless of whether TokenScope.USER_AUTH is set.