From 7e21f1296d510e5b3429f96e545ec4829af6b912 Mon Sep 17 00:00:00 2001
From: MontrealSergiy <sergeboroday@gmail.com>
Date: Tue, 30 Jul 2024 17:54:23 -0400
Subject: [PATCH] Only ensure a CbrainFileList read access at task submission,
 resolves #1057

---
 .../app/models/boutiques_portal_task.rb        | 11 +++++++----
 .../templates/portal.rb.erb                    | 18 ++++++++++++------
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/BrainPortal/app/models/boutiques_portal_task.rb b/BrainPortal/app/models/boutiques_portal_task.rb
index d360dc148..5df018cf6 100644
--- a/BrainPortal/app/models/boutiques_portal_task.rb
+++ b/BrainPortal/app/models/boutiques_portal_task.rb
@@ -307,7 +307,11 @@ def final_task_list #:nodoc:
       original_userfiles_ids = self.params[:interface_userfile_ids].dup
       self.params[:interface_userfile_ids] = [] # zap it; we'll re-introduce each userfile.id as needed
       tasklist = original_userfiles_ids.map do |userfile_id|
-        f = Userfile.find_accessible_by_user( userfile_id, self.user, :access_requested => file_access_symbol() )
+        if CbrainFileList.find_by(:id => userfile_id)
+          f = CbrainFileList.find_accessible_by_user( userfile_id, self.user, :access_requested => :read )
+        else
+          f = Userfile.find_accessible_by_user( userfile_id, self.user, :access_requested => :read )
+        end
 
         # One task for that file
         if (! f.is_a?( CbrainFileList ) || input.list) # in case of a list input, we *do* assign it the CbFileList
@@ -406,7 +410,7 @@ def cbcsv_files(descriptor = self.descriptor_for_after_form)
         next if isInactive(input)
         userfile_id = invoke_params[input.id]
         next if userfile_id.blank?
-        userfile = Userfile.find_accessible_by_user(userfile_id, self.user, :access_requested => file_access_symbol())
+        userfile = Userfile.find_accessible_by_user(userfile_id, self.user, :access_requested => :read)
         next unless ( userfile.is_a?(CbrainFileList) || (userfile.suggested_file_type || Object) <= CbrainFileList )
         [ input, userfile ]
     end.compact
@@ -481,7 +485,6 @@ def validateCols(cbcsv,id)
   # Raises an exception for the input parameter name if the parameter's value
   # is not adequate.
   def sanitize_param(input)
-
     name = input.id
     type = input.type.downcase.to_sym # old code convention from previous integrator
 
@@ -542,7 +545,7 @@ def sanitize_param(input)
           next nil # remove bad value
         end
 
-        file = Userfile.find_accessible_by_user(value, self.user, :access_requested => file_access_symbol()) rescue nil
+        file = Userfile.find_accessible_by_user(value, self.user, :access_requested => :read) rescue nil
         unless file
           params_errors.add(invokename, ": cannot find userfile (ID #{value})")
           next nil # remove bad value
diff --git a/BrainPortal/lib/cbrain_task_generators/templates/portal.rb.erb b/BrainPortal/lib/cbrain_task_generators/templates/portal.rb.erb
index ab6e1bcfc..a81c71f3c 100644
--- a/BrainPortal/lib/cbrain_task_generators/templates/portal.rb.erb
+++ b/BrainPortal/lib/cbrain_task_generators/templates/portal.rb.erb
@@ -439,7 +439,8 @@ class CbrainTask::<%= name %> < <%= (descriptor['custom'] || {})['cbrain:inherit
       begin # Check that the user has access to all of the files in the cbcsv
         fs = f.userfiles_accessible_by_user!(self.user,nil,nil,file_access)
         for i in f.ordered_raw_ids.select{ |r| (! r.nil?) && (r.to_s != '0') }
-          accessible = ! ( Userfile.find_accessible_by_user( i, self.user, :access_requested => file_access ) rescue nil ).nil?
+          accessible  = ! ( Userfile.find_accessible_by_user( i, self.user, :access_requested => file_access ) rescue nil ).nil?
+          accessible |= ! ( CbrainFileList.find_accessible_by_user( i, self.user, :access_requested => :read ) rescue nil ).nil?
           params_errors.add( id, msg1.(i) ) unless accessible
           errFlag = false unless accessible
         end
@@ -463,14 +464,17 @@ class CbrainTask::<%= name %> < <%= (descriptor['custom'] || {})['cbrain:inherit
     # Get cbcsvs (note: we get files that end with cbcsv, but may not be of that class; the user is warned when this occurs, i.e. after_form fails)
     files = self.params[:interface_userfile_ids].map do |f|
       begin
-        Userfile.find_accessible_by_user( f, self.user, :access_requested => file_access )
+        # for file list read access is enough
+        file   = CbrainFileList.find_accessible_by_user( f, self.user, :access_requested => :read ) rescue nil
+        # for individual files or collections, write access is needed if tool may mutate inputs
+        file ||= Userfile.find_accessible_by_user( f, self.user, :access_requested => file_access )
       rescue => e
         params_errors.add(<%= ":'#{single_file['id']}'" %>, "encountered an error trying to find file #{f}. Ensure the file exists and you can access it.")
         return ""
       end
     end
     cbcsvs = files.select(&:presence).map do |f|
-      Userfile.find_accessible_by_user( f, self.user, :access_requested => file_access )
+      Userfile.find_accessible_by_user( f, self.user, :access_requested => :read )
     end.select do |f|
       f.is_a?(CbrainFileList) || (f.suggested_file_type || Object) <= CbrainFileList
     end
@@ -531,7 +535,7 @@ class CbrainTask::<%= name %> < <%= (descriptor['custom'] || {})['cbrain:inherit
     <%= "file_lists = [%s]" % file_lists.map { |f| ":'#{f['id']}'" }.join( ', ' ) %>
     return [] if files.nil? || files.length == 0
     files.select { |f| self.params[f].present? && ! file_lists.include?(f) } # Prevent problems with file-type inputs with list=true
-         .map    { |f| [f, Userfile.find_accessible_by_user(self.params[f], self.user, :access_requested => file_access)] }
+         .map    { |f| [f, Userfile.find_accessible_by_user(self.params[f], self.user, :access_requested => :read)] }
          .select { |f| f[1].is_a?(CbrainFileList) || (f[1].suggested_file_type || Object) <= CbrainFileList }
   end
 
@@ -567,7 +571,8 @@ class CbrainTask::<%= name %> < <%= (descriptor['custom'] || {})['cbrain:inherit
         tsk
       end
       # Expand cbcsvs and generate tasks from them
-      f = Userfile.find_accessible_by_user( id, self.user, :access_requested => file_access )
+      f   = CbrainFileList.find_accessible_by_user( id, self.user, :access_requested => :read ) rescue nil
+      f ||= Userfile.find_accessible_by_user( id, self.user, :access_requested => file_access )
       if f.is_a?( CbrainFileList )
         ufiles = f.userfiles_accessible_by_user!( self.user, nil, nil, file_access )
         # Skip files that are purposefully nil (e.g. given id 0 by the user)
@@ -724,7 +729,8 @@ class CbrainTask::<%= name %> < <%= (descriptor['custom'] || {})['cbrain:inherit
           next value
         end
 
-        unless (file = Userfile.find_accessible_by_user(value, self.user, :access_requested => file_access) rescue nil)
+        unless (file = Userfile.find_accessible_by_user(value, self.user, :access_requested => file_access) rescue nil ||
+                 CbrainFileList.find_accessible_by_user(value, self.user, :access_requested => :read) rescue nil )
           params_errors.add(name, ": cannot find userfile (ID #{value})")
           next value
         end