-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix current version bug #366
base: release-2024.4.4
Are you sure you want to change the base?
Fix current version bug #366
Conversation
…missions to view it. The current version to other users will only be the published one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for looking at this Estelle. Is there a reason why all of the function definitions got an extra indent? It also might be nice if we add a test that ensures this new behavior to superseding score sets.
src/mavedb/routers/score_sets.py
Outdated
if( | ||
item | ||
and item.superseding_score_set | ||
and not owner_or_contributor | ||
and ( | ||
urn_re.MAVEDB_OLD_TMP_URN_RE.fullmatch(item.superseding_score_set.urn) | ||
or urn_re.MAVEDB_TMP_URN_RE.fullmatch(item.superseding_score_set.urn) | ||
) | ||
): | ||
item.superseding_score_set = None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if instead of checking like this we check the permissions of the superseding score set, something like:
if( | |
item | |
and item.superseding_score_set | |
and not owner_or_contributor | |
and ( | |
urn_re.MAVEDB_OLD_TMP_URN_RE.fullmatch(item.superseding_score_set.urn) | |
or urn_re.MAVEDB_TMP_URN_RE.fullmatch(item.superseding_score_set.urn) | |
) | |
): | |
item.superseding_score_set = None | |
from mavedb.lib.permissions import Action, assert_permission, has_permission | |
if item.superseding_score_set: | |
superseding_score_set = db.scalars(select(ScoreSet).where(ScoreSet.urn = item.superseding_score_set).one() | |
if not has_permission(user, item, Action.READ): | |
item.superseding_score_set = None |
This way, we don't have to maintain any extra permission logic and can guarantee the item within the superseding score set property is only returned if the user has access to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I modified it. I check item.superseding_score_set
directly cause it's an object.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you also be able to fix the extra indentations before merging? The logic looks good!
…score sets are unpublished yet. Haven't fixed the search score set codes.
Only show unpublished superseding score set to the users who have permissions to view it. The current version to other users will only be the published one.
Fix #370