Skip to content

Correct field exclusion for public responses, except for direct_ancestor problem #791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yuanzhou merged 2 commits into from
Jan 17, 2025
Merged

Correct field exclusion for public responses, except for direct_ancestor problem #791

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d184617
Merge remote-tracking branch 'origin/main' into karlburke/NewProvMeta…
kburke Jan 17, 2025
e66bc72
Correct various "authorization" code to enable appropriate exclusion …
kburke Jan 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 15 additions & 18 deletions src/dev_entity_worker.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,8 @@ def __init__(self, app_config, memcached_client_instance, schema_mgr, neo4j_driv
raise entityEx.EntityConfigurationException(msg)

def _user_in_hubmap_read_group(self, user_info):
if user_info is None:
return False
try:
# The property 'hmgroupids' is ALWAYS in the output with using schema_manager.get_user_info()
# when the token in request is a groups token
Expand Down Expand Up @@ -300,16 +302,14 @@ def _get_entity_by_id_for_auth_level(self, entity_id:Annotated[str, 32], valid_u
entity_scope = self._get_entity_visibility(entity_dict=complete_dict)
public_entity = (entity_scope is DataVisibilityEnum.PUBLIC)

# Initialize the user as authorized if the data is public. Otherwise, the
# user is not authorized and credentials must be checked.
if public_entity:
user_authorized = True
else:
# Set a variable reflecting the user's authorization by being in the HuBMAP-READ Globus Group
user_authorized = self._user_in_hubmap_read_group(user_info=user_info)

# For non-public documents, reject the request if the user is not authorized
if not public_entity:
if valid_user_token is None:
raise entityEx.EntityForbiddenException(f"{normalized_entity_type} for {entity_id} is not"
f" accessible without presenting a token.")

user_authorized = self._user_in_hubmap_read_group(user_info=user_info)
if not user_authorized:
raise entityEx.EntityForbiddenException(f"The requested {normalized_entity_type} has non-public data."
f" A Globus token with access permission is required.")
Expand All @@ -322,7 +322,7 @@ def _get_entity_by_id_for_auth_level(self, entity_id:Annotated[str, 32], valid_u
# Also normalize the result based on schema
final_result = self.schemaMgr.normalize_entity_result_for_response(complete_dict)

# Identify fields in the entity based upon user's authorization
# Identify fields to exclude from non-authorized responses for the entity type.
fields_to_exclude = self.schemaMgr.get_fields_to_exclude(normalized_entity_type)

# Response with the dict
Expand Down Expand Up @@ -383,7 +383,7 @@ def _get_dataset_associated_data( self, dataset_dict:dict, dataset_visibility:
raise entityEx.EntityBadRequestException( f"'{dataset_dict['entity_type']}' for"
f" uuid={dataset_dict['uuid']} is not a Dataset or Publication,"
f" so '{associated_data}' can not be retrieved for it.")
# Set up fields to be excluded when retrieving the organs associated with
# Set up fields to be excluded when retrieving the entities associated with
# the Dataset. Organs are one kind of Sample.
if associated_data.lower() in ['organs', 'samples']:
fields_to_exclude = self.schemaMgr.get_fields_to_exclude('Sample')
Expand All @@ -395,19 +395,16 @@ def _get_dataset_associated_data( self, dataset_dict:dict, dataset_visibility:
raise entityEx.EntityServerErrorException(f"Unexpected error retrieving '{associated_data}' for a Dataset")

public_entity = (dataset_visibility is DataVisibilityEnum.PUBLIC)
# Initialize the user as authorized if the entity with associated data is public. Otherwise, the
# user is not authorized and credentials must be checked.
if dataset_visibility is DataVisibilityEnum.PUBLIC:
user_authorized = True
else:
# If the entity is non-public, but the valid user token is None, authorization is forbidden.

# Set a variable reflecting the user's authorization by being in the HuBMAP-READ Globus Group
user_authorized = self._user_in_hubmap_read_group(user_info=user_info)

# For non-public documents, reject the request if the user is not authorized
if not public_entity:
if valid_user_token is None:
raise entityEx.EntityForbiddenException(f"{dataset_dict['entity_type']} for"
f" {dataset_dict['uuid']} is not"
f" accessible without presenting a token.")

user_authorized = self._user_in_hubmap_read_group(user_info=user_info)
# If the entity is non-public, but user token is not in the HuBMAP Read Group, authorization is forbidden.
if not user_authorized:
raise entityEx.EntityForbiddenException(f"The requested Dataset has non-public data."
f" A Globus token with access permission is required.")
Expand Down
2 changes: 1 addition & 1 deletion src/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ PyYAML==5.4.1
# Use the branch name of commons from github for testing new changes made in commons from different branch
# Default is main branch specified in docker-compose.development.yml if not set
# git+https://github.com/hubmapconsortium/commons.git@${COMMONS_BRANCH}#egg=hubmap-commons
hubmap-commons==2.1.18
hubmap-commons==2.1.19

# For unit test
nose2==0.10.0
Loading