Re: [PR] fix: private dataset can be set as downloadable [texera]

Sun, 17 Aug 2025 15:14:36 -0700 


Copilot commented on code in PR #3666:
URL: https://github.com/apache/texera/pull/3666#discussion_r2281039300


##########
core/file-service/src/main/scala/edu/uci/ics/texera/service/resource/DatasetResource.scala:
##########
@@ -1067,8 +1052,8 @@ class DatasetResource {
 
       // Retrieve dataset and check download permission
       val dataset = getDatasetByID(ctx, did)
-      // Non-owners can only download public and downloadable datasets
-      if (!userOwnDataset(ctx, did, uid) && (!dataset.getIsPublic || 
!dataset.getIsDownloadable)) {
+      // Non-owners can download if dataset is downloadable and they have read 
access
+      if (!userOwnDataset(ctx, did, uid) && !dataset.getIsDownloadable) {

Review Comment:
   The updated download permission check only validates if the dataset is 
downloadable but doesn't verify if the user has access to private datasets. 
This could allow unauthorized users to download private datasets if they're 
marked as downloadable. Consider adding access level validation for private 
datasets.



##########
core/file-service/src/main/scala/edu/uci/ics/texera/service/resource/DatasetResource.scala:
##########
@@ -1311,13 +1296,13 @@ class DatasetResource {
             val datasets = 
datasetDao.fetchByName(resolvedDatasetName).asScala.toList
             if (datasets.nonEmpty) {
               val dataset = datasets.head
-              // Non-owners can only download public and downloadable datasets
+              // Non-owners can download if dataset is downloadable and they 
have read access
               if (
                 !userOwnDataset(
                   ctx,
                   dataset.getDid,
                   uid
-                ) && (!dataset.getIsPublic || !dataset.getIsDownloadable)
+                ) && !dataset.getIsDownloadable
               ) {
                 throw new ForbiddenException("Dataset download is not allowed")

Review Comment:
   Similar to the previous issue, this download permission check for dataset 
file access doesn't validate user access levels for private datasets. This 
could allow unauthorized downloads of private dataset files if the dataset is 
marked as downloadable.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to