This is an automated email from the ASF dual-hosted git repository.
xiaozhenliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/texera.git
The following commit(s) were added to refs/heads/main by this push:
new f07088bedb fix(backend): prevent workflow cloning when user revokes
own access (#4153)
f07088bedb is described below
commit f07088bedba56409268e52899feb4cdc2a391051
Author: Seongjin Yoon <[email protected]>
AuthorDate: Wed Jan 14 10:07:33 2026 -0800
fix(backend): prevent workflow cloning when user revokes own access (#4153)
<!--
Thanks for sending a pull request (PR)! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines:
[Contributing to
Texera](https://github.com/apache/texera/blob/main/CONTRIBUTING.md)
2. Ensure you have added or run the appropriate tests for your PR
3. If the PR is work in progress, mark it a draft on GitHub.
4. Please write your PR title to summarize what this PR proposes, we
are following Conventional Commits style for PR titles as well.
5. Be sure to keep the PR description updated to reflect all changes.
-->
### What changes were proposed in this PR?
<!--
Please clarify what changes you are proposing. The purpose of this
section
is to outline the changes. Here are some tips for you:
1. If you propose a new API, clarify the use case for a new API.
2. If you fix a bug, you can clarify why it is a bug.
3. If it is a refactoring, clarify what has been changed.
3. It would be helpful to include a before-and-after comparison using
screenshots or GIFs.
4. Please consider writing useful notes for better and faster reviews.
-->
This PR fixes a bug where workflow were cloned when users revoked their
own access to a shared workflow while having it open in the workspace.
**Bug:**
When a user revoked their own access while editing a shared workflow,
the frontend's auto-persist would continue to save changes. The
backend's `persistWorkflow` method would receive these save requests
from a user who no longer has access, and create a new workflow.
**Changes Made:**
**Backend (`WorkflowResource.scala`):**
- Modified `persistWorkflow()` method to distinguish between:
- Creating a new workflow (workflow ID is null)
- Persisting an existing workflow without access (workflow ID is not
null)
**Frontend (`ShareAccessComponent`):**
- Added `verifyRevokeAccess()` method that shows a confirmation modal
before revoking access.
- Made `revokeAccess()` private and updated it to return a flag when
user revokes their own access.
**Frontend (`MenuComponent`):**
- Added redirect logic to navigate users to the workflows list page when
they revoke their own access while in the workspace.
**Frontend (`share-access.component.html`):**
- Updated delete button to call `verifyRevokeAccess()` instead of
`revokeAccess()` to trigger confirmation popup.
**Before:**
https://github.com/user-attachments/assets/35ef739c-40b7-461f-b0c6-01bc565d98dd
**After:**
https://github.com/user-attachments/assets/3945dc67-0a4f-477f-8f10-ca773bb9604e
### Any related issues, documentation, discussions?
<!--
Please use this section to link other resources if not mentioned
already.
1. If this PR fixes an issue, please include `Fixes #1234`, `Resolves
#1234`
or `Closes #1234`. If it is only related, simply mention the issue
number.
2. If there is design documentation, please add the link.
3. If there is a discussion in the mailing list, please add the link.
-->
None.
### How was this PR tested?
<!--
If tests were added, say they were added here. Or simply mention that if
the PR
is tested with existing test cases. Make sure to include/update test
cases that
check the changes thoroughly including negative and positive cases if
possible.
If it was tested in a way different from regular unit tests, please
clarify how
you tested step by step, ideally copy and paste-able, so that other
reviewers can
test and check, and descendants can verify in the future. If tests were
not added,
please describe why they were not added and/or why it was difficult to
add.
-->
Manually tested.
### Was this PR authored or co-authored using generative AI tooling?
<!--
If generative AI tooling has been used in the process of authoring this
PR,
please include the phrase: 'Generated-by: ' followed by the name of the
tool
and its version. If no, write 'No'.
Please refer to the [ASF Generative Tooling
Guidance](https://www.apache.org/legal/generative-tooling.html) for
details.
-->
No.
---------
Co-authored-by: Xiaozhen Liu <[email protected]>
---
.../dashboard/user/workflow/WorkflowResource.scala | 9 +++++-
.../user/share-access/share-access.component.html | 2 +-
.../user/share-access/share-access.component.ts | 32 ++++++++++++++++++++--
.../app/workspace/component/menu/menu.component.ts | 12 ++++++--
4 files changed, 49 insertions(+), 6 deletions(-)
diff --git
a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
index 45ed49a23d..5cbb5bbdd8 100644
---
a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
+++
b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
@@ -431,7 +431,14 @@ class WorkflowResource extends LazyLogging {
workflowDao.update(workflow)
} else {
if (!WorkflowAccessResource.hasReadAccess(workflow.getWid, user.getUid))
{
- // not owner and no access record --> new record
+ // Check if this workflow exists in the database
+ val workflowExistsInDb =
+ workflow.getWid != null && workflowDao.existsById(workflow.getWid)
+ if (workflowExistsInDb) {
+ // User trying to persist an existing workflow without access -
reject
+ throw new ForbiddenException("No sufficient access privilege.")
+ }
+ // This is a new workflow being created (wid is null or doesn't exist
in DB)
workflow.setWid(null)
insertWorkflow(workflow, user)
WorkflowVersionResource.insertVersion(workflow, insertingNewWorkflow =
true)
diff --git
a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
index f181ef839d..717c1cbc18 100644
---
a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
+++
b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
@@ -154,7 +154,7 @@
<nz-tag nzColor="blue">{{ entry.privilege }}</nz-tag> {{ entry.email }}
({{ entry.name }})
<button
[disabled]="!writeAccess && entry.email !== currentEmail"
- (click)="revokeAccess(entry.email)"
+ (click)="verifyRevokeAccess(entry.email)"
nz-button
nz-tooltip="revoke access"
nzSize="small"
diff --git
a/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
b/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
index 9b7e5be175..de7d83531f 100644
---
a/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
+++
b/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
@@ -190,7 +190,35 @@ export class ShareAccessComponent implements OnInit,
OnDestroy {
}
}
- public revokeAccess(userToRemove: string): void {
+ public verifyRevokeAccess(userToRemove: string): void {
+ const isRevokingOwnAccess = userToRemove ===
this.userService.getCurrentUser()?.email;
+ const modalTitle = isRevokingOwnAccess ? "Revoke Your Access" : "Revoke
Access";
+ const modalContent = isRevokingOwnAccess
+ ? `Are you sure you want to revoke your own access to this ${this.type}?
You will no longer be able to view or edit it.`
+ : `Are you sure you want to revoke ${userToRemove}'s access to this
${this.type}?`;
+
+ const modal: NzModalRef = this.modalService.create({
+ nzTitle: modalTitle,
+ nzContent: modalContent,
+ nzFooter: [
+ {
+ label: "Cancel",
+ onClick: () => modal.close(),
+ },
+ {
+ label: "Revoke",
+ type: "primary",
+ danger: true,
+ onClick: () => {
+ this.revokeAccess(userToRemove);
+ modal.close();
+ },
+ },
+ ],
+ });
+ }
+
+ private revokeAccess(userToRemove: string): void {
this.accessService
.revokeAccess(this.type, this.id, userToRemove)
.pipe(untilDestroyed(this))
@@ -198,7 +226,7 @@ export class ShareAccessComponent implements OnInit,
OnDestroy {
next: () => {
if (userToRemove == this.userService.getCurrentUser()?.email) {
this.shouldRefresh = true;
- this.modalRef.close();
+ this.modalRef.close({ userRevokedOwnAccess: true });
}
this.ngOnInit();
},
diff --git a/frontend/src/app/workspace/component/menu/menu.component.ts
b/frontend/src/app/workspace/component/menu/menu.component.ts
index e821bf3add..69ccfd48c6 100644
--- a/frontend/src/app/workspace/component/menu/menu.component.ts
+++ b/frontend/src/app/workspace/component/menu/menu.component.ts
@@ -19,6 +19,7 @@
import { DatePipe, Location } from "@angular/common";
import { Component, ElementRef, Input, OnDestroy, OnInit, ViewChild } from
"@angular/core";
+import { Router } from "@angular/router";
import { UserService } from "../../../common/service/user/user.service";
import {
DEFAULT_WORKFLOW_NAME,
@@ -141,7 +142,8 @@ export class MenuComponent implements OnInit, OnDestroy {
private reportGenerationService: ReportGenerationService,
private panelService: PanelService,
private computingUnitStatusService: ComputingUnitStatusService,
- protected config: GuiConfigService
+ protected config: GuiConfigService,
+ private router: Router
) {
workflowWebsocketService
.subscribeToEvent("ExecutionDurationUpdateEvent")
@@ -262,7 +264,7 @@ export class MenuComponent implements OnInit, OnDestroy {
}
public async onClickOpenShareAccess(): Promise<void> {
- this.modalService.create({
+ const modalRef = this.modalService.create({
nzContent: ShareAccessComponent,
nzData: {
writeAccess: this.writeAccess,
@@ -276,6 +278,12 @@ export class MenuComponent implements OnInit, OnDestroy {
nzCentered: true,
nzWidth: "800px",
});
+
+ modalRef.afterClose.pipe(untilDestroyed(this)).subscribe(result => {
+ if (result?.userRevokedOwnAccess) {
+ this.router.navigate([DASHBOARD_USER_WORKFLOW]);
+ }
+ });
}
// apply a behavior to the run button via bound variables
