Fix 10221 403 error; Unauthorized studies are displayed as authorized #10241
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix 10221 Unauthorized studies are displayed as authorized due to issue with using RequestParam adding @RequestParam causes error HTTP 400 error as by default required = true, if set to required = false causes unauthorized studies to be shown as authorized Swagger validation errors fixed via commit a57c489 caused this issue.
BasLee
force-pushed
the
fix10221-403-authorized-studies
branch
from
d5c78e0
to
7638a27
Compare
BasLee
reviewed
Jul 3, 2023
| @RequestParam(required = false) Authentication authentication) { | ||
| @RequestParam(defaultValue = "ASC") Direction direction | ||
| ) { | ||
| Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); |
There was a problem hiding this comment.
Problem:
- The
authenticationparam without annotations generates faulty/messy Swagger documentation - The
authenticationparam with annotations results in all studies being marked withreadPermission=true
Maybe better to remove the authentication parameter and instead fetch it from the security context?
@dippindots @JREastonMarks
There was a problem hiding this comment.
This looks ok to me, @jagnathan is there any potential issue if we merge this pr as is?
There was a problem hiding this comment.
@dippindots in the file org/mskcc/cbio/portal/util/internal/AccessControlImpl.java, there is some more complex logic for getting the authentication object. Do we need to follow that logic?
- Rename StructVar* to StructuralVariant* - Revert JsonInclude Always to NON_NULL -
…yfilter RFC68: Impl. structural variant filtering in Study View filter
…control modify documentation for skin.hide_download_controls
authentication object validity check - only if user authorization is enabled, authentication object is obtained from SecurityContextHolder
Fix 10221 Unauthorized studies are displayed as authorized due to issue with using RequestParam adding @RequestParam causes error HTTP 400 error as by default required = true, if set to required = false causes unauthorized studies to be shown as authorized Swagger validation errors fixed via commit a57c489 caused this issue.
authentication object validity check - only if user authorization is enabled, authentication object is obtained from SecurityContextHolder
…jagnathan/cbioportal into fix10221-403-authorized-studies
|
Kudos, SonarCloud Quality Gate passed! |
|
opened a new PR #10267 to replace this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix #10221 Unauthorized studies are displayed as authorized due to issue with using RequestParam