Copilot commented on code in PR #5704:
URL: https://github.com/apache/texera/pull/5704#discussion_r3448008004
##########
amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala:
##########
@@ -711,6 +717,73 @@ class WorkflowResource extends LazyLogging {
workflowDao.update(workflow)
}
+ /** Returns the workflow's cover image; 404 if none set. */
+ @GET
+ @RolesAllowed(Array("REGULAR", "ADMIN"))
+ @Path("/{wid}/cover")
+ def getCoverImage(@PathParam("wid") wid: Integer, @Auth user: SessionUser):
CoverImageRequest = {
+ if (!WorkflowAccessResource.hasReadAccess(wid, user.getUid)) {
+ throw new ForbiddenException(s"You do not have access to workflow $wid")
+ }
+ val image = context
+ .select(WORKFLOW_COVER_IMAGE.IMAGE)
+ .from(WORKFLOW_COVER_IMAGE)
+ .where(WORKFLOW_COVER_IMAGE.WID.eq(wid))
+ .fetchOne(WORKFLOW_COVER_IMAGE.IMAGE)
+ if (image == null) {
+ throw new NotFoundException(s"Workflow $wid has no cover image")
+ }
+ CoverImageRequest(image)
+ }
+
+ /** Sets or replaces the workflow's cover image. */
+ @PUT
+ @RolesAllowed(Array("REGULAR", "ADMIN"))
+ @Path("/{wid}/cover")
+ def setCoverImage(
+ @PathParam("wid") wid: Integer,
+ request: CoverImageRequest,
+ @Auth user: SessionUser
+ ): Unit = {
+ if (!WorkflowAccessResource.hasWriteAccess(wid, user.getUid)) {
+ throw new ForbiddenException(s"You do not have permission to modify
workflow $wid")
+ }
+ val image = Option(request.image).map(_.trim).getOrElse("")
Review Comment:
`setCoverImage` dereferences `request.image` without guarding against a null
request entity. If the client sends an empty body (or fails JSON
deserialization), Jersey can pass `null` for `request`, which will trigger a
NullPointerException instead of a 400.
##########
amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala:
##########
@@ -711,6 +717,73 @@ class WorkflowResource extends LazyLogging {
workflowDao.update(workflow)
}
+ /** Returns the workflow's cover image; 404 if none set. */
+ @GET
+ @RolesAllowed(Array("REGULAR", "ADMIN"))
+ @Path("/{wid}/cover")
+ def getCoverImage(@PathParam("wid") wid: Integer, @Auth user: SessionUser):
CoverImageRequest = {
+ if (!WorkflowAccessResource.hasReadAccess(wid, user.getUid)) {
+ throw new ForbiddenException(s"You do not have access to workflow $wid")
+ }
+ val image = context
+ .select(WORKFLOW_COVER_IMAGE.IMAGE)
+ .from(WORKFLOW_COVER_IMAGE)
+ .where(WORKFLOW_COVER_IMAGE.WID.eq(wid))
+ .fetchOne(WORKFLOW_COVER_IMAGE.IMAGE)
+ if (image == null) {
+ throw new NotFoundException(s"Workflow $wid has no cover image")
+ }
+ CoverImageRequest(image)
+ }
+
+ /** Sets or replaces the workflow's cover image. */
+ @PUT
+ @RolesAllowed(Array("REGULAR", "ADMIN"))
+ @Path("/{wid}/cover")
+ def setCoverImage(
+ @PathParam("wid") wid: Integer,
+ request: CoverImageRequest,
+ @Auth user: SessionUser
+ ): Unit = {
+ if (!WorkflowAccessResource.hasWriteAccess(wid, user.getUid)) {
+ throw new ForbiddenException(s"You do not have permission to modify
workflow $wid")
+ }
+ val image = Option(request.image).map(_.trim).getOrElse("")
+ if (image.isEmpty) {
+ throw new BadRequestException("Cover image is required")
+ }
+ if (!image.startsWith("data:image/")) {
+ throw new BadRequestException("Cover image must be an image data URL")
+ }
Review Comment:
Validation currently permits any `data:image/*` URL. Since this value is
later rendered into an `<img src>`, it should at least reject SVG (and other
non-raster types) and require the base64 form. A small MIME allowlist reduces
stored-XSS surface while remaining compatible with common image uploads.
##########
common/workflow-operator/src/test/scala/org/apache/texera/amber/operator/huggingFace/codegen/ImageTaskCodegenSpec.scala:
##########
@@ -0,0 +1,214 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.texera.amber.operator.huggingFace.codegen
+
+import org.apache.texera.amber.pybuilder.PyStringTypes.EncodableString
+import org.scalatest.flatspec.AnyFlatSpec
+import org.scalatest.matchers.should.Matchers
+
+class ImageTaskCodegenSpec extends AnyFlatSpec with Matchers {
+
Review Comment:
This PR is titled/described as a dashboard workflow-card feature, but this
new spec file tests HuggingFace image task codegen and doesn't appear related
to workflow cover images. Consider moving it to a separate PR or updating the
PR description to explain why it's included here.
##########
frontend/src/app/dashboard/component/user/list-item/card-item/card-item.component.html:
##########
@@ -36,6 +36,39 @@
[(ngModel)]="entry.checked"
(ngModelChange)="onCheckboxChange(entry)"></label>
</div>
+ <!-- Cover-image controls -->
+ <div
+ class="card-image-controls"
+ *ngIf="canEditCover"
+ (click)="$event.stopPropagation()">
+ <button
+ nz-button
+ nzType="text"
+ class="image-control-btn"
+ title="Change cover image"
+ (click)="openImagePicker()">
+ <i
+ nz-icon
+ nzType="camera"></i>
+ </button>
+ <button
+ *ngIf="hasCustomImage"
+ nz-button
+ nzType="text"
+ class="image-control-btn"
+ title="Reset to default image"
+ (click)="resetImage()">
+ <i
+ nz-icon
+ nzType="rollback"></i>
+ </button>
Review Comment:
The cover-image icon-only buttons rely on `title`, which is not a reliable
accessible name for screen readers. Adding `aria-label` (and explicitly setting
`type="button"`) makes the controls accessible and avoids any unintended
form-submit behavior if this markup is ever placed inside a form.
##########
frontend/src/app/dashboard/component/user/list-item/card-item/card-item.component.scss:
##########
@@ -69,6 +69,36 @@
z-index: 10;
}
+// Cover-image controls, revealed on hover.
+.card-image-controls {
+ position: absolute;
+ bottom: 4px;
+ right: 4px;
+ z-index: 11;
+ display: flex;
+ gap: 4px;
+ opacity: 0;
+ transition: opacity 0.2s;
+}
+
+.card-item:hover .card-image-controls {
+ opacity: 1;
+}
Review Comment:
The cover controls are hidden via `opacity: 0` only. This leaves an
invisible element that can still intercept pointer/keyboard focus, creating a
dead zone on the card (and making the buttons focusable but not visible).
Consider disabling pointer events while hidden and also revealing on
`:focus-within` for keyboard accessibility.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
