Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add annotation access controls at the folder level #905

Merged
merged 18 commits into from
Aug 16, 2022
Merged

Add annotation access controls at the folder level #905

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
ac8f7ee
Add annotation access controls at the folder level
eagw Aug 1, 2022
e3d7e98
Add missing newline
eagw Aug 1, 2022
f6dcd6c
Fix linting issues
eagw Aug 1, 2022
06302c7
Replace `yield` with `return`
eagw Aug 10, 2022
d350560
Add hierarchy widget to index to import it
eagw Aug 10, 2022
0e1adec
Add count method for girder count header
eagw Aug 10, 2022
335a5d5
Merge master into folder-access-control to fix CI
eagw Aug 10, 2022
dd6f410
Make endpoint to set access list for folder annots
eagw Aug 12, 2022
b231867
Fix lint error
eagw Aug 15, 2022
329af9f
Improve endpoint user expectations
eagw Aug 15, 2022
ed036e9
Fix lint
eagw Aug 15, 2022
cbed60e
Remove extra line
eagw Aug 15, 2022
b832046
Fix issue from lint fix
eagw Aug 15, 2022
6ee1943
Fix duplicate annotation returns from pipeline
eagw Aug 15, 2022
666ee38
Add time limit and count to update access endpoint
eagw Aug 15, 2022
7b3786f
Remove default value from `setAccessList` call
eagw Aug 15, 2022
62a6b50
Remove unnecessary `HierarchyWidget` wrapper
eagw Aug 15, 2022
5337f0a
Fix HTML inconsistency
eagw Aug 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
145 changes: 145 additions & 0 deletions girder_annotation/girder_large_image_annotation/rest/annotation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@

import cherrypy
import orjson
from bson.objectid import ObjectId

from girder import logger
from girder.api import access
Expand Down Expand Up @@ -58,6 +59,9 @@ def __init__(self):
self.route('GET', ('item', ':id'), self.getItemAnnotations)
self.route('POST', ('item', ':id'), self.createItemAnnotations)
self.route('DELETE', ('item', ':id'), self.deleteItemAnnotations)
self.route('GET', ('folder', ':id'), self.returnFolderAnnotations)
self.route('GET', ('folder', ':id', 'present'), self.existFolderAnnotations)
self.route('PUT', ('folder', ':id', 'access'), self.setFolderAnnotationAccess)
self.route('GET', ('old',), self.getOldAnnotations)
self.route('DELETE', ('old',), self.deleteOldAnnotations)
self.route('GET', ('counts',), self.getItemListAnnotationCounts)
Expand Down Expand Up @@ -558,6 +562,147 @@ def deleteItemAnnotations(self, item):
count += 1
return count

def getFolderAnnotations(self, id, recurse, user, limit=False, offset=False, sort=False,
sortDir=False, count=False):
recursivePipeline = [
{'$graphLookup': {
'from': 'folder',
'startWith': '$_id',
'connectFromField': '_id',
'connectToField': 'parentId',
'as': '__children'
}},
{'$unwind': {'path': '$__children'}},
{'$replaceRoot': {'newRoot': '$__children'}},
{'$unionWith': {
'coll': 'folder',
'pipeline': [{'$match': {'_id': ObjectId(id)}}]
}}] if recurse else []
accessPipeline = [
{'$match': {
'$or': [
{'access.users':
{'$elemMatch': {
'id': user['_id'],
'level': {'$gte': 2}
}}},
{'access.groups':
{'$elemMatch': {
'id': {'$in': user['groups']},
'level': {'$gte': 2}
}}}
]
}}
] if not user['admin'] else []
pipeline = [
{'$match': {'_id': 'none'}},
{'$unionWith': {
'coll': 'folder',
'pipeline': [{'$match': {'_id': ObjectId(id)}}] +
recursivePipeline +
[{'$lookup': {
'from': 'item',
'localField': '_id',
'foreignField': 'folderId',
'as': '__items'
}}, {'$lookup': {
'from': 'annotation',
'localField': '__items._id',
'foreignField': 'itemId',
'as': '__annotations'
}}, {'$unwind': '$__annotations'},
{'$replaceRoot': {'newRoot': '$__annotations'}},
{'$match': {'_active': {'$ne': False}}}
] + accessPipeline
}},
]
if count:
pipeline += [{'$count': 'count'}]
else:
pipeline = pipeline + [{'$sort': {sort: sortDir}}] if sort else pipeline
pipeline = pipeline + [{'$skip': offset}] if offset else pipeline
pipeline = pipeline + [{'$limit': limit}] if limit else pipeline

return Annotation().collection.aggregate(pipeline)

@autoDescribeRoute(
Description('Check if the user owns any annotations for the items in a folder')
.param('id', 'The ID of the folder', required=True, paramType='path')
.param('recurse', 'Whether or not to recursively check '
'subfolders for annotations', required=False, default=True, dataType='boolean')
.errorResponse()
)
@access.public
def existFolderAnnotations(self, id, recurse):
user = self.getCurrentUser()
if not user:
return []
annotations = self.getFolderAnnotations(id, recurse, user, 1)
try:
next(annotations)
return True
except StopIteration:
return False

@autoDescribeRoute(
Description('Get the user-owned annotations from the items in a folder')
.param('id', 'The ID of the folder', required=True, paramType='path')
.param('recurse', 'Whether or not to retrieve all '
'annotations from subfolders', required=False, default=False, dataType='boolean')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you choose to have recurse default to false for this endpoint (and true on the present endpoint)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thought was that when you think of an endpoint that gets annotations from a folder someone is more likely to assume that it's just returning the annotations from that folder and not all other folders it contains as well. Whereas with the present endpoint I thought they'd be more likely to use it when trying to determine if a user owns any annotations in the folder or its subfolders. But I realize this logic isn't very intuitive, so I could change it so they're both the same.

.pagingParams(defaultSort='created', defaultSortDir=-1)
.errorResponse()
)
@access.public
def returnFolderAnnotations(self, id, recurse, limit, offset, sort):
user = self.getCurrentUser()
if not user:
return []
annotations = self.getFolderAnnotations(id, recurse, user, limit, offset,
sort[0][0], sort[0][1])

def count():
try:
return next(self.getFolderAnnotations(id, recurse, self.getCurrentUser(),
count=True))['count']
except StopIteration:
# If there are no values to iterate over, the count is 0 and should be returned
return 0

annotations.count = count
return annotations

@autoDescribeRoute(
Description('Set the access for all the user-owned annotations from the items in a folder')
.param('id', 'The ID of the folder', required=True, paramType='path')
.param('access', 'The JSON-encoded access control list.')
.param('public', 'Whether the annotation should be publicly visible.',
dataType='boolean', required=False)
.param('recurse', 'Whether or not to retrieve all '
'annotations from subfolders', required=False, default=False, dataType='boolean')
.errorResponse('ID was invalid.')
)
@access.user
def setFolderAnnotationAccess(self, id, params):
setResponseTimeLimit(86400)
user = self.getCurrentUser()
if not user:
return []
access = json.loads(params['access'])
public = self.boolParam('public', params, False)
count = 0
for annotation in self.getFolderAnnotations(id, params['recurse'], user):
annot = Annotation().load(annotation['_id'], user=user, getElements=False)
annot = Annotation().setPublic(annot, public)
annot = Annotation().setAccessList(
annot, access, user=user)
Annotation().update({'_id': annot['_id']}, {'$set': {
key: annot[key] for key in ('access', 'public', 'publicFlags')
if key in annot
}})
count += 1

return {'updated': count}

@autoDescribeRoute(
Description('Report on old annotations.')
.param('age', 'The minimum age in days.', required=False,
Expand Down
96 changes: 96 additions & 0 deletions girder_annotation/girder_large_image_annotation/web_client/views/hierarchyWidget.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
import $ from 'jquery';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to add the HierarchyWidget to the views/index.js file to get it imported.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See d350560


import { wrap } from '@girder/core/utilities/PluginUtils';
import { restRequest } from '@girder/core/rest';
import AccessWidget from '@girder/core/views/widgets/AccessWidget';
import HierarchyWidget from '@girder/core/views/widgets/HierarchyWidget';

import AnnotationModel from '../models/AnnotationModel';

wrap(HierarchyWidget, 'render', function (render) {
render.call(this);

if (this.parentModel.get('_modelType') === 'folder') {
ownAnnotation(this, this.parentModel.id);
}
});

function ownAnnotation(root, folderId) {
restRequest({
type: 'GET',
url: 'annotation/folder/' + folderId + '/present',
data: {
recurse: true
}
}).done((ownsAnnot) => {
if (ownsAnnot) {
addAccessControl(root);
}
});
}

function addAccessControl(root) {
if (root.$('.g-edit-annotation-access').length === 0) {
if (root.$('.g-folder-actions-menu > .divider').length > 0) {
root.$('.g-folder-actions-menu > .divider').before(
'<li role="presentation">' +
'<a class="g-edit-annotation-access" role="menuitem">' +
'<i class="icon-lock"></i>' +
'Annotation access control' +
'</a>' +
'</li>'
);
} else {
root.$('ul.g-folder-actions-menu').append(
'<li role="presentation">' +
'<a class="g-edit-annotation-access" role="menuitem">' +
'<i class="icon-lock"></i>' +
'Annotation access control' +
'</a>' +
'</li>'
);
}
root.events['click .g-edit-annotation-access'] = editAnnotAccess;
root.delegateEvents();
}
}

function editAnnotAccess() {
restRequest({
type: 'GET',
url: 'annotation/folder/' + this.parentModel.get('_id'),
data: {
recurse: true,
limit: 1
}
}).done((resp) => {
const model = new AnnotationModel(resp[0]);
model.get('annotation').name = 'Your Annotations';
model.save = () => {};
model.updateAccess = (settings) => {
const access = {
access: model.get('access'),
public: model.get('public'),
publicFlags: model.get('publicFlags')
};
const defaultUpdateModel = new AnnotationModel();
defaultUpdateModel.id = this.parentModel.get('_id');
defaultUpdateModel.altUrl = 'annotation/folder';
defaultUpdateModel.set(access);
defaultUpdateModel.updateAccess(settings);
model.trigger('g:accessListSaved');
};
model.fetchAccess(true)
.done(() => {
new AccessWidget({// eslint-disable-line no-new
el: $('#g-dialog-container'),
modelType: 'annotation',
model,
hideRecurseOption: false,
parentView: this
});
});
});
}

export default HierarchyWidget;
2 changes: 2 additions & 0 deletions girder_annotation/girder_large_image_annotation/web_client/views/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import * as viewers from '@girder/large_image/views/imageViewerWidget';

import ConfigView from './configView';
import HierarchyWidget from './hierarchyWidget';
import ImageViewerSelectWidget from './imageViewerSelectWidget';
import ItemListWidget from './itemList';
import ImageViewerWidgetAnnotationExtension from './imageViewerWidget/base';
Expand All @@ -15,6 +16,7 @@ for (var key in viewers) {

export {
ConfigView,
HierarchyWidget,
ImageViewerSelectWidget,
ItemListWidget,
viewers as ViewerWidget
Expand Down