Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbidden access to admin user to an embargoed asset (dandiset overall ok) #1996

Closed
yarikoptic opened this issue Aug 7, 2024 · 1 comment · Fixed by #2004
Closed

Forbidden access to admin user to an embargoed asset (dandiset overall ok) #1996

yarikoptic opened this issue Aug 7, 2024 · 1 comment · Fixed by #2004
Assignees
@waxlamp
Labels
bug Something isn't working embargo Issues around embargo functionality released This issue/pull request has been released.

Comments

@yarikoptic
Copy link
Member

Origin:

which boils down to /download/ endpoint issuing 403 instead of allowing to download an asset in embargoed dandiset. It allows for listing/browsing just fine but not download.

To demo/reproduce in CLI:

$ curl -sSL -H "Authorization: token $DANDI_API_KEY" -X GET https://api.dandiarchive.org/api/dandisets/001082/
{"identifier":"001082","created":"2024-07-05T22:24:27.440178Z" ... sensitive pruned ... "embargo_status":"EMBARGOED" ...
# accessing asset from within it
$ curl -vsSL -H "Authorization: token $DANDI_API_KEY" https://api.dandiarchive.org/api/assets/3e98c412-b4be-4e3d-8709-662e721cba30/download/ 2>&1 | tail -n 20
< Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1723046887&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=2e915MBLhJJgGluInYtGZIyVYjAasqDvjolI0kX6ihQ%3D"}]}
< Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1723046887&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=2e915MBLhJJgGluInYtGZIyVYjAasqDvjolI0kX6ihQ%3D
< Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
< Connection: keep-alive
< Server: gunicorn
< Date: Wed, 07 Aug 2024 16:08:07 GMT
< Content-Type: application/json
< Vary: Accept, Cookie, origin
< Allow: GET, HEAD, OPTIONS
< X-Frame-Options: DENY
< Content-Length: 63
< Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
< Cross-Origin-Opener-Policy: same-origin
< Via: 1.1 vegur
< 
{ [63 bytes data]
* Connection #0 to host api.dandiarchive.org left intact
{"detail":"You do not have permission to perform this action."}

and in gui -- can navigate to https://dandiarchive.org/dandiset/000874/draft/files?location=derivatives%2FOCT-pipeline%2Fsub-SP002%2Fmicr&page=1 just fine but not to download a json file there.
@yarikoptic yarikoptic added bug Something isn't working embargo Issues around embargo functionality labels Aug 7, 2024
@yarikoptic yarikoptic mentioned this issue Aug 7, 2024
Closed
@waxlamp waxlamp self-assigned this Aug 9, 2024
@jwodder jwodder mentioned this issue Aug 12, 2024
Open
@jjnesbitt jjnesbitt mentioned this issue Aug 12, 2024
Merged
@dandibot
Copy link
Member

🚀 Issue was released in v0.3.94 🚀

@dandibot dandibot added the released This issue/pull request has been released. label Aug 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@waxlamp waxlamp

Labels
bug Something isn't working embargo Issues around embargo functionality released This issue/pull request has been released.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix admin access to embargoed asset blobs dandi/dandi-archive
3 participants
@yarikoptic @waxlamp @dandibot