xuang7 commented on code in PR #4117:
URL: https://github.com/apache/texera/pull/4117#discussion_r2666494633
##########
file-service/src/main/scala/org/apache/texera/service/resource/DatasetResource.scala:
##########
@@ -1326,4 +1326,44 @@ class DatasetResource {
Right(response)
}
}
+
+ @POST
+ @RolesAllowed(Array("REGULAR", "ADMIN"))
+ @Path("/{did}/update/cover")
+ def updateDatasetCoverImage(
+ @PathParam("did") did: Integer,
+ coverImage: String,
+ @Auth sessionUser: SessionUser
+ ): Response = {
+ withTransaction(context) { ctx =>
+ val uid = sessionUser.getUid
+ val dataset = getDatasetByID(ctx, did)
+ if (!userHasWriteAccess(ctx, did, uid)) {
+ throw new ForbiddenException(ERR_USER_HAS_NO_ACCESS_TO_DATASET_MESSAGE)
+ }
+
+ val document = DocumentFactory
+ .openReadonlyDocument(
+ FileResolver.resolve(s"${getOwner(ctx,
did).getEmail}/${dataset.getName}/$coverImage")
+ )
+ .asInstanceOf[OnDataset]
+
+ val file = LakeFSStorageClient.getFileFromRepo(
+ document.getRepositoryName(),
+ document.getVersionHash(),
+ document.getFileRelativePath()
+ )
+ val coverSizeLimit = 10 * 1024 * 1024 // 10 MB
+
+ if (file.length() > coverSizeLimit) {
+ throw new BadRequestException(
+ s"Cover image must be less than ${coverSizeLimit / (1024 * 1024)} MB"
+ )
+ }
+
+ dataset.setCoverImage(coverImage)
+ new DatasetDao(ctx.configuration()).update(dataset)
+ Response.ok().build()
+ }
+ }
Review Comment:
fixed, including added test cases including: path traversal rejection,
absolute path rejection, invalid file type rejection, empty/null path
rejection, unauthorized user rejection, private dataset access checks, and
validateSafePath coverage.
##########
file-service/src/main/scala/org/apache/texera/service/resource/DatasetResource.scala:
##########
@@ -1326,4 +1326,44 @@ class DatasetResource {
Right(response)
}
}
+
+ @POST
+ @RolesAllowed(Array("REGULAR", "ADMIN"))
+ @Path("/{did}/update/cover")
+ def updateDatasetCoverImage(
+ @PathParam("did") did: Integer,
+ coverImage: String,
+ @Auth sessionUser: SessionUser
+ ): Response = {
+ withTransaction(context) { ctx =>
+ val uid = sessionUser.getUid
+ val dataset = getDatasetByID(ctx, did)
+ if (!userHasWriteAccess(ctx, did, uid)) {
+ throw new ForbiddenException(ERR_USER_HAS_NO_ACCESS_TO_DATASET_MESSAGE)
+ }
+
+ val document = DocumentFactory
+ .openReadonlyDocument(
+ FileResolver.resolve(s"${getOwner(ctx,
did).getEmail}/${dataset.getName}/$coverImage")
+ )
+ .asInstanceOf[OnDataset]
+
+ val file = LakeFSStorageClient.getFileFromRepo(
+ document.getRepositoryName(),
+ document.getVersionHash(),
+ document.getFileRelativePath()
+ )
+ val coverSizeLimit = 10 * 1024 * 1024 // 10 MB
+
+ if (file.length() > coverSizeLimit) {
+ throw new BadRequestException(
+ s"Cover image must be less than ${coverSizeLimit / (1024 * 1024)} MB"
+ )
+ }
+
+ dataset.setCoverImage(coverImage)
+ new DatasetDao(ctx.configuration()).update(dataset)
+ Response.ok().build()
+ }
+ }
Review Comment:
Fixed, including added test cases including: path traversal rejection,
absolute path rejection, invalid file type rejection, empty/null path
rejection, unauthorized user rejection, private dataset access checks, and
validateSafePath coverage.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
