-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create REST endpoint for POSTing job models #2031
Conversation
@zachmullen can you comment on whether or not this is the right/best approach? thanks! |
See: #2018 |
btw, I found this to be a little bit confusing - i expected when setting However, because ensureTokenScopes returns immediately if the user is logged in, it effectively means a logged in user has ALL custom scopes defined. I didn't see a built-in way to handle a situation where i wanted to protect an endpoint with a custom scope regardless of user authentication status. |
plugins/jobs/server/job_rest.py
Outdated
@filtermodel(model='job', plugin='jobs') | ||
@access.token(scope=constants.REST_CREATE_JOB_TOKEN_SCOPE) | ||
@autoDescribeRoute( | ||
Description('Create a job model via a RESTful endpoint') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to put "via a RESTful endpoint" :)
plugins/jobs/server/__init__.py
Outdated
|
||
def load(info): | ||
info['apiRoot'].job = job_rest.Job() | ||
events.bind('rest.post.job.before', 'jobs', _authorizeRestJobCreation) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is all in the same plugin, let's just move this logic into the REST route handler itself. That will improve readability via lexical proximity of the logic, and won't preclude behavioral modification by downstreams.
plugins/jobs/server/__init__.py
Outdated
if not tokenModel.hasScope(token, constants.REST_CREATE_JOB_TOKEN_SCOPE): | ||
raise AccessException( | ||
'Invalid token scope.\n' | ||
'Required: %s.\n' % (constants.REST_CREATE_JOB_TOKEN_SCOPE)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This pattern appears in a few places, it's probably worth adding a standardized requireScope
method into the token model that raises an exception like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this also help with the recent issue we found where invalidly scoped tokens were throwing 401s and saying "not logged in" when really it was the case that the token didn't have the correct scope? If we can improve that error handling as a part of this PR that would be rad.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It wouldn't help with that particular case. I'm not actually sure how to engineer a solution for that at this time.
plugins/jobs/server/models/job.py
Outdated
from girder.plugins.jobs.constants import JobStatus, JOB_HANDLER_LOCAL | ||
from girder.plugins.jobs.constants import (JobStatus, | ||
JOB_HANDLER_LOCAL, | ||
REST_CREATE_JOB_TOKEN_SCOPE) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change doesn't seem necessary.
Right, that's the behavior we use to support OAuth-provider-like authorization control. One way to support these sorts of use cases is to add another flag to the access decorators, e.g.
The |
68143ea
to
8cf5ff2
Compare
Does not allow posting unless jobs.rest.create_job is set as a scope on the token. This is set automatically when using createJobToken()
db04b3c
to
0287f0a
Compare
@kotfic, @zachmullen This is ready for a review. |
girder/models/token.py
Outdated
|
||
if not self.hasScope(token, scope): | ||
raise AccessException('Invalid token scope.' | ||
'Required: %s.' % (scope)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can fit this all on one line, but if not, we'll need to add a space between the sentences.
plugins/jobs/server/job_rest.py
Outdated
Description('Create a job model') | ||
.param('title', '', required=True) | ||
.param('type', '', required=True) | ||
.modelParam('parentId', 'Id of the parent job.', model='job', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In user-facing text, we should use "ID" rather than "Id".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zachmullen I applied those changes.
76574a0
to
0ccf574
Compare
Does not allow posting to
/job
unless jobs.rest.create_job is set as a scopeon the current token - regardless of whether TokenScope.USER_AUTH is set.