Ensure workflow "Files" tab and various git views are functional when…

… using special auth codes. Fixes #2152
seek4science · Feb 26, 2025 · 192e8d6 · 192e8d6
1 parent cd83dca
commit 192e8d6
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 8 deletions.
diff --git a/app/controllers/git_controller.rb b/app/controllers/git_controller.rb
@@ -192,7 +192,7 @@ def fetch_parent
   end
 
   def authorize_parent
-    unless @parent_resource.can_download?
+    unless is_auth?(@parent_resource, :download)
       target = @parent_resource.can_view? ? @parent_resource : :root
       render_git_error('Not authorized', status: 403, redirect: target)
     end

diff --git a/app/models/special_auth_code.rb b/app/models/special_auth_code.rb
@@ -13,5 +13,5 @@ def defaults
 
   validates_presence_of :code, :expiration_date
 
-  validate ->(code) { errors.add(:special_auth_code, 'asset must be manageable') unless code.asset && code.asset.can_manage? }
+  validate ->(code) { errors.add(:special_auth_code, 'asset must be manageable') unless ((code.asset && code.asset.can_manage?) || !authorization_checks_enabled) }
 end
diff --git a/app/views/general/_show_page_tab_definitions.html.erb b/app/views/general/_show_page_tab_definitions.html.erb
@@ -8,7 +8,7 @@
   <% end %>
 
   <% if versioned_resource&.is_git_versioned? %>
-    <%= tab('files', disabled_reason: versioned_resource.can_download? ? nil : 'You are not authorized to access this content.') do %>
+    <%= tab('files', disabled_reason: can_download_asset?(resource, params[:code]) ? nil : 'You are not authorized to access this content.') do %>
       <span class="glyphicon glyphicon-folder-close"></span> Files
     <% end %>
   <% end %>
@@ -19,7 +19,7 @@
 
 	<% if resource %>
 		<% resource_is_assay_stream = resource_name == 'Assay' ? resource.is_assay_stream? : false %>
-		<% if Seek::Config.isa_json_compliance_enabled && resource.is_isa_json_compliant? && !resource_is_assay_stream %>
+		<% if Seek::Config.isa_json_compliance_enabled && resource.respond_to?(:is_isa_json_compliant?) && resource.is_isa_json_compliant? && !resource_is_assay_stream %>
 			<%= tab(resource_name&.downcase + "_design") do %>
 				<span class="glyphicon glyphicon-th-list"></span> <%= resource.model_name.human %> design
 			<% end %>

diff --git a/app/views/git/_blob.html.erb b/app/views/git/_blob.html.erb
@@ -9,8 +9,8 @@
 <div>
   <div class="pull-right">
     <% if @blob.fetched? %>
-      <%= button_link_to('Download', 'download', polymorphic_path([@parent_resource, :git_download], version: @git_version.version, path: @blob.path)) %>
-      <%= button_link_to('Raw', 'markup', polymorphic_path([@parent_resource, :git_raw], version: @git_version.version, path: @blob.path)) %>
+      <%= button_link_to('Download', 'download', polymorphic_path([@parent_resource, :git_download], version: @git_version.version, path: @blob.path, code: params[:code])) %>
+      <%= button_link_to('Raw', 'markup', polymorphic_path([@parent_resource, :git_raw], version: @git_version.version, path: @blob.path, code: params[:code])) %>
     <% end %>
     <% if @blob.remote? %>
       <%= button_link_to('External Link', 'external_link', @blob.url, target: :_blank) %>

diff --git a/app/views/git/_files.html.erb b/app/views/git/_files.html.erb
@@ -37,7 +37,9 @@
             if (node.type === 'blob') {
                 var path = '<%= polymorphic_path([resource, :git_blob], version: git_version.version, path: '__replaceme__') %>'.replace('__replaceme__', Git.encodePath(node.data.path))
                 element.spinner('add');
+                var code = new URLSearchParams(document.location.search).get('code');
                 $j.ajax(path, {
+                    data: code ? { code: code } : {},
                     success: function (html) {
                         $j('#git-preview-modal .modal-body').html(html);
                         $j('#git-preview-modal').modal('show');

diff --git a/app/views/workflows/show.html.erb b/app/views/workflows/show.html.erb
@@ -4,7 +4,7 @@
 
 <%= render partial: 'assets/upload_new_version_form', locals: { resource: @workflow } -%>
 
-<%= render partial: 'general/show_page_tab_definitions', locals: { versioned_resource: @display_workflow } %>
+<%= render partial: 'general/show_page_tab_definitions', locals: { resource: @workflow, versioned_resource: @display_workflow } %>
 
 <div class="tab-content">
   <%= tab_pane('overview') do %>
@@ -85,7 +85,7 @@
     </div>
   <% end %>
 
-  <% if @display_workflow.is_git_versioned? && @display_workflow.can_download? %>
+  <% if @display_workflow.is_git_versioned? && can_download_asset?(@workflow, params[:code]) %>
     <%= tab_pane('files') do %>
       <%= render partial: 'git/files', locals: { resource: @workflow, git_version: @display_workflow } %>
     <% end %>

diff --git a/test/functional/git_controller_test.rb b/test/functional/git_controller_test.rb
@@ -295,6 +295,40 @@ def setup
     assert flash[:error].include?('authorized')
   end
 
+  test 'get blob of private workflow via sharing link' do
+    workflow = FactoryBot.create(:local_git_workflow, policy: FactoryBot.create(:private_policy))
+    refute workflow.can_download?(nil)
+    sharing_link = nil
+    disable_authorization_checks { sharing_link = workflow.special_auth_codes.create! }
+    get :blob, params: { workflow_id: workflow.id, version: 1, path: 'diagram.png', code: sharing_link.code }, format: :html
+
+    assert_response :success
+    assert_select 'a.btn[href=?]', workflow_git_download_path(workflow, version: workflow.git_version.version, path: 'diagram.png', code: sharing_link.code)
+  end
+
+  test 'get raw blob of private workflow via sharing link' do
+    workflow = FactoryBot.create(:local_git_workflow, policy: FactoryBot.create(:private_policy))
+    refute workflow.can_download?(nil)
+    sharing_link = nil
+    disable_authorization_checks { sharing_link = workflow.special_auth_codes.create! }
+    get :raw, params: { workflow_id: workflow.id, version: 1, path: 'concat_two_files.ga', code: sharing_link.code }, format: :html
+
+    assert_response :success
+    assert @response.body.include?('galaxy_workflow')
+    assert response.headers['Content-Type'].include?('text/plain')
+  end
+
+  test 'download blob of private workflow via sharing link' do
+    workflow = FactoryBot.create(:local_git_workflow, policy: FactoryBot.create(:private_policy))
+    refute workflow.can_download?(nil)
+    sharing_link = nil
+    disable_authorization_checks { sharing_link = workflow.special_auth_codes.create! }
+    get :download, params: { workflow_id: workflow.id, version: 1, path: 'concat_two_files.ga', code: sharing_link.code }, format: :html
+
+    assert_response :success
+    assert @response.header['Content-Disposition'].include?('attachment')
+  end
+
   test 'show appropriate buttons for permissions' do
     viewer = FactoryBot.create(:person)
     downloader = FactoryBot.create(:person)