[bot] Fast-forward for 26.3.14#7780
Merged
Merged
Conversation
#### Rationale Backport changes already in develop to help configure XML parsers consistently #### Changes - Configure parsers for security #### Tasks 📍 - [x] Claude Code Review - ~Manual Testing~ - ~Test Automation~
#### Rationale Small refactors to help introduce better container scoping checks for NAb actions. #### Related Pull Requests - #7747 - LabKey/commonAssays#1022 - LabKey/testAutomation#3042 --------- Co-authored-by: labkey-nicka <nickk@labkey.com> Co-authored-by: cnathe <cnathe@labkey.com>
#### Rationale Update TreatmentManager getStudyProductsDoseAndRoute / getDoseAndRoute / deleteStudyProduct filters to scope by container
#### Rationale We can improve our parameter validation #### Changes - New test coverage - Assorted scoping checks
#### Rationale In 26.3, modules need to be considered active in a container to process requests. #### Changes - Make it convenient to enable modules when creating containers in integration test - Enable Mothership module before sending it requests #### Tasks 📍 - [x] Claude Code Review - ~Manual Testing~ - [x] Test Automation
…7757) - Pass an explicit ContainerFilter.current(_list.getContainer(), user) to getAuditEvent - Add ListAuditProvider.auditEventMatchesList() - Add ListAuditProvider.TestCase
#### Rationale Previous scoping changes weren't correct given some important use cases for compability. #### Changes - Don't consider an import of a file to prevent moving it via WebDAV - Allow users with read access to the parent container to access the pipeline job status API via any container #### Tasks 📍 - [x] Claude Code Review - ~Manual Testing~ - [x] Test Automation
#### Rationale MothershipManager.updateSoftwareRelease performed a raw Table.update keyed only on the SoftwareRelease primary key, with no container filter, and reassigned the row's container to the caller's folder. Because the update form binds softwareReleaseId directly from the request and UpdateAction only checks UpdatePermission against the current folder, a user with update rights in one folder could edit — and re-home into their own folder — a SoftwareRelease owned by another folder. This scopes the update to the caller's container so only rows that already belong to that folder can be modified. #### Related Pull Requests - None #### Changes - Add a container-scoped MothershipManager.getSoftwareRelease(int, Container) lookup, mirroring the existing getExceptionStackTrace/getServerInstallation helpers. - Verify the target SoftwareRelease belongs to the caller's container in updateSoftwareRelease before updating; throw NotFoundException otherwise. - Fix an incidental NPE in BulkUpdateAction where updateExceptionStackTrace was invoked even when the container-scoped lookup returned null; the call now happens only inside the null check.
#### Rationale The fix for some scoping problems got committed with some overly verbose comments. To be merged when the queue is under less pressure. #### Changes - Edit the comments to be more relevant going forward
## Rationale The Assay DeleteAction is not used by our UI and is no longer needed. ## Related Pull Requests - <!-- list of links to related pull requests (replace this comment) --> ## Changes - Delete assay/actions/DeleteAction.java - Remove getDeleteDesignUrl from AssayUrls and AssayController ## Tasks 📍 - [x] Claude Code Review - [x] Manual Testing - [ ] ~Test Automation~ - [x] Verify Fix
Conflicts: announcements/src/org/labkey/announcements/AnnouncementsController.java announcements/src/org/labkey/announcements/ToursController.java announcements/src/org/labkey/announcements/announcementThread.jsp announcements/src/org/labkey/announcements/model/AnnouncementManager.java api/src/org/labkey/api/data/TableViewForm.java api/src/org/labkey/api/exp/api/ExperimentService.java api/src/org/labkey/api/util/XmlBeansUtil.java assay/api-src/org/labkey/api/assay/nab/view/MultiGraphAction.java core/src/org/labkey/core/CoreModule.java list/src/org/labkey/list/controllers/ListController.java list/src/org/labkey/list/model/ListAuditProvider.java study/src/org/labkey/study/StudyModule.java study/src/org/labkey/study/controllers/DatasetController.java study/src/org/labkey/study/model/ParticipantGroupManager.java studydesign/src/org/labkey/studydesign/StudyDesignModule.java
Conflicts: announcements/src/org/labkey/announcements/AnnouncementsController.java api/src/org/labkey/api/data/TableViewForm.java api/src/org/labkey/api/security/permissions/AbstractContainerScopingTest.java assay/src/org/labkey/assay/AssayController.java core/src/org/labkey/core/CoreController.java core/src/org/labkey/core/admin/AdminController.java mothership/src/org/labkey/mothership/MothershipController.java pipeline/src/org/labkey/pipeline/api/PipelineStatusManager.java query/src/org/labkey/query/QueryModule.java study/src/org/labkey/study/model/ParticipantGroupManager.java studydesign/src/org/labkey/studydesign/StudyDesignController.java studydesign/src/org/labkey/studydesign/StudyDesignModule.java studydesign/src/org/labkey/studydesign/model/TreatmentManager.java
labkey-tchad
approved these changes
Jun 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generated automatically.
Approve all matching PRs simultaneously.
Approval will trigger automatic merge.
View all PRs: https://internal.labkey.com/Scrumtime/Backlog/harvest-gitOpenPullRequests.view?branch=26.3_ff_bot_26.3.14