Bug #3391
closed
[Workbench] Can see job information but cannot access output collection
Description
I am not the owner of the job, but I can see job qr1hi-8i9sb-agcnphf8im1aegp from the jobs page. When trying to access the log information, I get a fiddlesticks error message:
API request URL
https://qr1hi.arvadosapi.com/arvados/v1/collections/4c1a8038ae7fcb167c8274855dd7e7e6+89
API response
{
":errors":[
"Path not found"
],
":error_token":"1406571185+5104d817"
}
Updated by Peter Amstutz over 9 years ago
The problem here is that having access to read a Job record doesn't mean you can read the collection containing the job log. Either the log collection needs to automatically owned by the same project as the job (so that being able to read the project, which grants the ability read the job, also grants the ability to read the job) or permission to read the collection needs to be implicit through the job record "log" field of the collection (possibly a security risk if the log field isn't properly protected by API server from malicious updating to otherwise unowned collections.)
Updated by Tom Clegg over 9 years ago
Fix by making the "show log" link non-clickable (and look non-clickable) when the log page is unreadable.
(It is desirable to support cases where a readable object has a reference to an unreadable object. The solution is to make it possible for the non-reading user to understand what's happening, and for a user who controls the sharing to anticipate when other users will get into this situation, and correct it if they choose to.)
Updated by Tom Clegg over 9 years ago
- Subject changed from Can see job information but cannot access output collection to [Workbench] Can see job information but cannot access output collection
- Category set to Workbench
Updated by Tom Clegg over 9 years ago
- Target version set to Arvados Future Sprints
Updated by Peter Amstutz almost 3 years ago
- Target version deleted (
Arvados Future Sprints)