-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ome user id fix #285
Ome user id fix #285
Conversation
ome.user_id is now always the same as ome.user.id - Fixed as the currently logged-in user. ome.active_user is similar to ome.active_group and reflects the current viewing context. Having ome.user_id for the current context was confusing and inconsistent
Conflicting PR. Removed from build OMERO-python-superbuild-push#686. See the console output for more details.
|
Can the integration tests introduced in ome/openmicroscopy#6269 be easily amended to test both scenarios (single-group context + group -1 context) so that we can flag regressions in the future? |
Tested the functionality. The PR fixes the issue. Workflow gives 500 on latest-ci, but works fine on merge-ci 👍 |
@sbesson Added a test at ome/openmicroscopy@27c9670 to check User Settings page when experimenter context is -1. |
omeroweb/webadmin/urls.py
Outdated
@@ -81,7 +81,7 @@ | |||
name="waloaddrivespace_user", | |||
), | |||
url( | |||
r"^change_avatar/(?P<eid>[0-9]+)/(?:(?P<action>[a-z]+)/)?$", | |||
r"^change_avatar/(?:(?P<action>[a-z]+)/)?$", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The biggest downside of this approach is that it will break all calls of type https://myserver/webadmin/change_avatar/xxx/{upload,deletephoto}/
in favor of https://myserver/webadmin/change_avatar/{upload,deletephoto}/
.
From my understanding of the associated code, the passed ID was silently ignored anyways and the current user ID used under the hood. Was the ability to set/delete other's avatar ever functional?
Trying to make the minimal assumptions about consumers, is it possible to update this to keep supporting both forms of URLs but use the same view?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a breaking change, so we should try to handle both url formats if possible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can certainly allow change_avatar/xxx/{upload,deletephoto}/
but for how long do we need to support it and how would we mark it as deprecated?
I don't think there was ever the ability to upload or delete another user's photo and I think it very unlikely that URL would be used by any external application (delete was even unusable in webclient till just now (#274).
So the sooner we can remove it the better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was the ID previously always ignored even if for another user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. As you can see in master
(and not changed in this PR) manageavatar()
view function makes no use of any eid
:
omero-web/omeroweb/webadmin/views.py
Line 1089 in 688acfe
def manage_avatar(request, action=None, conn=None, **kwargs): |
Same in v5.9.1 etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 I was wondering if that means we should disallow now eid != current user.
Tested against the CI server using a logged user:
Generally, this PR seems to be deprecating the On the handling of IDs different than the current user, I am not strongly opinionated. I could see some feedback/error indicating this path is disallowed. On the other side, it might be overkill if this is effectively deprecated and we are moving towards the ID-less form. |
I think it has been broken like this for a long time, but likely never used outside of the webadmin UI. I don't think we need to add any validation of the ignored |
Just saw this error reported on nightshade:
|
This fixes a bug from #278.
See #278 (comment)
It was caused because I used the
ome.user_id
template context assuming it referred to the currently logged-in user (similar toome.user.id
) but it actually referred to the current browsing context, so for "All Members" it was-1
which caused an error generating URLs formanage_avatar
URLs (upload, crop & delete).The fix is to always use
ome.user_id
to refer to the logged-in user, and useome.active_user
to refer to the current viewing context, as we already do withome.active_group
. This consistency will help avoid similar errors in future.To test:
webclient/?experimenter=-1
) then browse toUser Settings
page.Since this bug is affecting users, it would be nice to get it released soon. cc @erindiel