Nancy OuyangBug #5915
closed
[Workbench] Sharing link for public collection still renders after sharing token is revoked, but then downloaded files are 0 bytes
Description
To replicate: Go to https://workbench.qr1hi.arvadosapi.com/collections/download/qr1hi-4zz18-7zk4muy5grnaqpv/4qji0cfumh25dttlwteo6rj2b83z2b8vz1l0rja3uzo82bf3s/ and right-click, download any file. File is 0 bytes.
Scenario: This was linked from https://github.com/nouyang-curoverse/GA4GH_regions and caused confusion as noted by @adamnovak here: https://github.com/nouyang-curoverse/GA4GH_regions/pull/2
Notes:
Collection (A) in Arvados at
https://workbench.qr1hi.arvadosapi.com/collections/qr1hi-4zz18-7zk4muy5grnaqpv
Sharing button is still "depressed".
Collection (A) was copied to a public project (B) so that I could share the collection in "anonymous" view. I probably clicked share/unshare a few times on the collection (A).
Workaround, in the meantime:
Public project (B): https://workbench.qr1hi.arvadosapi.com/collections/qr1hi-4zz18-7zk4muy5grnaqpv
Collection sharing link from project (B): https://workbench.qr1hi.arvadosapi.com/collections/download/qr1hi-4zz18-7zk4muy5grnaqpv/2sf3n5y9nuqhi815xioxa2ychioyqts7i5ysxg5we8fdl988az/
Updated by Abram Connelly almost 9 years ago
This is also referenced under the wiki https://github.com/ga4gh/schemas/wiki/Human-Genome-Variation-Map-%28HGVM%29-Pilot-Project#pilot-test-data.
Updated by Nancy Ouyang almost 9 years ago
Fixed ga4gh HGVM wiki link as listed above
Updated by Nancy Ouyang almost 9 years ago
Update: Actually, the files seem correct if I am logged into Workbench, but if I log-out or use private browsing mode, the files are 0 bytes.
Updated by Brett Smith almost 9 years ago
- Subject changed from files in public collection (via "share link") are 0 bytes to [Workbench] Sharing link for public collection still renders after sharing token is revoked, but then downloaded files are 0 bytes
- Category set to Workbench
- Status changed from New to In Progress
- Assigned To set to Brett Smith
- Target version changed from Bug Triage to 2015-05-20 sprint
I haven't proven it, but I'm pretty sure this is what happened:
- The first sharing link was created.
- The collection was publicly shared so people without Arvados accounts could see the full Workbench interface.
- The token from the first sharing link was revoked. (This is the part I haven't confirmed, since activity around API tokens is scarcely logged.)
Now I'm looking at CollectionsController#show_file in Workbench. It calls Collection.find with different API tokens to look for one that it can pass along to arv-get. However, we implemented public views by passing along the defined public token as a reader token with every API request. Because of this, when the collection is shared publicly, Collection.find will always return a result. This will trick show_file into thinking that any defined token is usable, even if that's not actually case. It will use that token when it calls arv-get, and that will fail.
The easy way to get the downloads working again would be to reverse the order that show_file searches tokens for usability. This would check the public reader token for usability first: if that fails, we would be assured that it was not skewing the results in future checks. I'm going to make that change now.
This maybe raises an interesting question of whether Workbench should always fail when you make a request involving a sharing token that's been revoked. On the one hand, it might upset users to see a request still work after they revoked the link. On the other hand, it's not actually hurting anything from a strict security analysis: the collection is public, so the visitor can still get the data, they'd just have to try the token-less URL. I'm going to leave this question for another ticket.
Updated by Brett Smith almost 9 years ago
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
Applied in changeset arvados|commit:b7c7f20d17afc11d2cce7bfee2205a26dc4a4762.