Skip to content

🐛 Ensure function execute permission check is performed only once in map endpoint #8499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 10, 2025
Merged

🐛 Ensure function execute permission check is performed only once in map endpoint #8499

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd1d641
factor out funtion execute permission check
bisgaard-itis Oct 10, 2025
4c2044e
@wangeit document FunctionExecuteAccessDeniedError
bisgaard-itis Oct 10, 2025
6b277e3
move get_function_job_links until after permission check
bisgaard-itis Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 1 addition & 32 deletions services/api-server/src/simcore_service_api_server/_service_function_jobs_task_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@
TaskID,
)
from models_library.functions_errors import (
FunctionExecuteAccessDeniedError,
FunctionsExecuteApiAccessDeniedError,
UnsupportedFunctionClassError,
UnsupportedFunctionFunctionJobClassCombinationError,
)
Expand Down Expand Up @@ -245,36 +243,7 @@ async def get_cached_function_job(
function: RegisteredFunction,
job_inputs: JobInputs,
) -> RegisteredFunctionJob:
"""
N.B. this function checks access rights

raises FunctionsExecuteApiAccessDeniedError if user cannot execute functions
raises FunctionJobCacheNotFoundError if no cached job is found

"""

user_api_access_rights = (
await self._web_rpc_client.get_functions_user_api_access_rights(
user_id=self.user_id, product_name=self.product_name
)
)
if not user_api_access_rights.execute_functions:
raise FunctionsExecuteApiAccessDeniedError(
user_id=self.user_id,
function_id=function.uid,
)

user_permissions = await self._web_rpc_client.get_function_user_permissions(
function_id=function.uid,
user_id=self.user_id,
product_name=self.product_name,
)
if not user_permissions.execute:
raise FunctionExecuteAccessDeniedError(
user_id=self.user_id,
function_id=function.uid,
)

"""Raises FunctionJobCacheNotFoundError if no cached job is found"""
if cached_function_jobs := await self._web_rpc_client.find_cached_function_jobs(
function_id=function.uid,
inputs=job_inputs.values,
Expand Down
39 changes: 38 additions & 1 deletion services/api-server/src/simcore_service_api_server/_service_functions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,11 @@

from common_library.exclude import as_dict_exclude_none
from models_library.functions import FunctionClass, FunctionID, RegisteredFunction
from models_library.functions_errors import UnsupportedFunctionClassError
from models_library.functions_errors import (
FunctionExecuteAccessDeniedError,
FunctionsExecuteApiAccessDeniedError,
UnsupportedFunctionClassError,
)
from models_library.products import ProductName
from models_library.rest_pagination import (
MAXIMUM_NUMBER_OF_ITEMS_PER_PAGE,
Expand Down Expand Up @@ -76,3 +80,36 @@ async def get_function(self, function_id: FunctionID) -> RegisteredFunction:
product_name=self.product_name,
function_id=function_id,
)

async def check_execute_function_permission(
self,
*,
function: RegisteredFunction,
) -> None:
"""
Check execute permissions for a user on a function

raises FunctionsExecuteApiAccessDeniedError if user cannot execute functions
"""

user_api_access_rights = (
await self._web_rpc_client.get_functions_user_api_access_rights(
user_id=self.user_id, product_name=self.product_name
)
)
if not user_api_access_rights.execute_functions:
raise FunctionsExecuteApiAccessDeniedError(
user_id=self.user_id,
function_id=function.uid,
)

user_permissions = await self._web_rpc_client.get_function_user_permissions(
function_id=function.uid,
user_id=self.user_id,
product_name=self.product_name,
)
if not user_permissions.execute:
raise FunctionExecuteAccessDeniedError(
user_id=self.user_id,
function_id=function.uid,
)
8 changes: 8 additions & 0 deletions services/api-server/src/simcore_service_api_server/api/routes/functions_routes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,6 +345,10 @@ async def run_function(
pricing_spec = JobPricingSpecification.create_from_headers(request.headers)
job_links = await function_service.get_function_job_links(to_run_function, url_for)

await function_service.check_execute_function_permission(
function=to_run_function,
)

return await function_job_task_client_service.create_function_job_creation_task(
function=to_run_function,
function_inputs=function_inputs,
Expand Down Expand Up @@ -420,6 +424,10 @@ async def map_function(
pricing_spec = JobPricingSpecification.create_from_headers(request.headers)
job_links = await function_service.get_function_job_links(to_run_function, url_for)

await function_service.check_execute_function_permission(
function=to_run_function,
)

async def _run_single_function(function_inputs: FunctionInputs) -> FunctionJobID:
result = (
await function_job_task_client_service.create_function_job_creation_task(
Expand Down
Loading