Skip to content

Scope laboratory assay protocol lookups to the request container #286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
labkey-martyp wants to merge 2 commits into
base: release25.7-SNAPSHOT
Choose a base branch
from
Open

Scope laboratory assay protocol lookups to the request container #286

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8907cfe
Scope laboratory assay protocol lookups to the request container
labkey-martyp Jun 18, 2026
7931b29
Condense container-scoping comments in LaboratoryController
labkey-martyp Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 18 additions & 6 deletions laboratory/src/org/labkey/laboratory/LaboratoryController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -646,8 +646,9 @@ public String getResponse(ProcessAssayForm form, Map<String, Pair<File, String>>
throw new UploadException("No Assay Id Provided", HttpServletResponse.SC_BAD_REQUEST);
}

// getExpProtocol() is unscoped, so verify the protocol is in scope for this container before using it.
ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getLabkeyAssayId());
if (protocol == null)
if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
{
throw new UploadException("Unable to find assay protocol with Id: " + form.getLabkeyAssayId(), HttpServletResponse.SC_BAD_REQUEST);
}
Expand Down Expand Up @@ -935,8 +936,9 @@ public ApiResponse execute(SaveTemplateForm form, BindException errors) throws E
{
JSONObject json = new JSONObject(form.getJson());

// getExpProtocol() is unscoped, so verify the protocol is in scope for this container before saving a template against it.
ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getProtocolId());
if (protocol == null)
if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
{
errors.reject(ERROR_MSG, "Unknown assay: " + form.getProtocolId());
return null;
Expand Down Expand Up @@ -1062,8 +1064,9 @@ public void export(ProcessAssayForm form, HttpServletResponse response, BindExce
return;
}

// getExpProtocol() is unscoped, so verify the protocol is in scope for this container before generating a template against it.
ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getLabkeyAssayId());
if (protocol == null)
if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
{
throw new AbstractFileUploadAction.UploadException("Unable to find assay protocol with Id: " + form.getLabkeyAssayId(), HttpServletResponse.SC_BAD_REQUEST);
}
Expand Down Expand Up @@ -1513,8 +1516,9 @@ public ApiResponse execute(AssayImportHeadersForm form, BindException errors)
return new ApiSimpleResponse(results);
}

// getExpProtocol() is unscoped, so verify the protocol is in scope for this container before returning its import columns.
ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getProtocol());
if (protocol == null)
if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
{
errors.reject(ERROR_MSG, "Protocol not found: " + form.getProtocol());
return new ApiSimpleResponse(results);
Expand Down Expand Up @@ -1877,8 +1881,16 @@ public ApiResponse execute(ImportMethodsForm form, BindException errors)
List<ExpProtocol> protocols = new ArrayList<>();
if (form.getAssayId() != null)
{
protocols.add(ExperimentService.get().getExpProtocol(form.getAssayId()));
ap = AssayService.get().getProvider(protocols.get(0));
ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getAssayId());
// getExpProtocol() is unscoped, so verify the protocol is in scope before echoing its metadata; otherwise a user
// could enumerate arbitrary row ids and harvest assay names and container paths from folders they cannot read.
if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
{
errors.reject(ERROR_MSG, "Unknown assay: " + form.getAssayId());
return null;
}
protocols.add(protocol);
ap = AssayService.get().getProvider(protocol);
}
else if (form.getAssayType() != null)
{
Expand Down
Loading