Skip to content

fix(backend): prevent workflow cloning when user revokes own access #4153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
seongjinyoon wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix(backend): prevent workflow cloning when user revokes own access #4153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3124cf7
fix revoke access to not clone workflow
seongjinyoon Jan 11, 2026
44afe56
Merge branch 'apache:main' into fix/revoke-own-access-clone-workflow
seongjinyoon Jan 12, 2026
7809add
Merge branch 'main' into fix/revoke-own-access-clone-workflow
seongjinyoon Jan 12, 2026
1b98a8c
check for both getWid and existsById
seongjinyoon Jan 13, 2026
1eb1818
Merge branch 'main' into fix/revoke-own-access-clone-workflow
Xiao-zhen-Liu Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion .../main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,7 +431,14 @@ class WorkflowResource extends LazyLogging {
workflowDao.update(workflow)
} else {
if (!WorkflowAccessResource.hasReadAccess(workflow.getWid, user.getUid)) {
// not owner and no access record --> new record
// Check if this workflow exists in the database
val workflowExistsInDb =
workflow.getWid != null && workflowDao.existsById(workflow.getWid)
if (workflowExistsInDb) {
// User trying to persist an existing workflow without access - reject
throw new ForbiddenException("No sufficient access privilege.")
}
// This is a new workflow being created (wid is null or doesn't exist in DB)
workflow.setWid(null)
insertWorkflow(workflow, user)
WorkflowVersionResource.insertVersion(workflow, insertingNewWorkflow = true)
Expand Down
2 changes: 1 addition & 1 deletion frontend/src/app/dashboard/component/user/share-access/share-access.component.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@
<nz-tag nzColor="blue">{{ entry.privilege }}</nz-tag> {{ entry.email }} ({{ entry.name }})
<button
[disabled]="!writeAccess && entry.email !== currentEmail"
(click)="revokeAccess(entry.email)"
(click)="verifyRevokeAccess(entry.email)"
nz-button
nz-tooltip="revoke access"
nzSize="small"
Expand Down
32 changes: 30 additions & 2 deletions frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,15 +190,43 @@ export class ShareAccessComponent implements OnInit, OnDestroy {
}
}

public revokeAccess(userToRemove: string): void {
public verifyRevokeAccess(userToRemove: string): void {
const isRevokingOwnAccess = userToRemove === this.userService.getCurrentUser()?.email;
const modalTitle = isRevokingOwnAccess ? "Revoke Your Access" : "Revoke Access";
const modalContent = isRevokingOwnAccess
? `Are you sure you want to revoke your own access to this ${this.type}? You will no longer be able to view or edit it.`
: `Are you sure you want to revoke ${userToRemove}'s access to this ${this.type}?`;

const modal: NzModalRef = this.modalService.create({
nzTitle: modalTitle,
nzContent: modalContent,
nzFooter: [
{
label: "Cancel",
onClick: () => modal.close(),
},
{
label: "Revoke",
type: "primary",
danger: true,
onClick: () => {
this.revokeAccess(userToRemove);
modal.close();
},
},
],
});
}

private revokeAccess(userToRemove: string): void {
this.accessService
.revokeAccess(this.type, this.id, userToRemove)
.pipe(untilDestroyed(this))
.subscribe({
next: () => {
if (userToRemove == this.userService.getCurrentUser()?.email) {
this.shouldRefresh = true;
this.modalRef.close();
this.modalRef.close({ userRevokedOwnAccess: true });
}
this.ngOnInit();
},
Expand Down
12 changes: 10 additions & 2 deletions frontend/src/app/workspace/component/menu/menu.component.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@

import { DatePipe, Location } from "@angular/common";
import { Component, ElementRef, Input, OnDestroy, OnInit, ViewChild } from "@angular/core";
import { Router } from "@angular/router";
import { UserService } from "../../../common/service/user/user.service";
import {
DEFAULT_WORKFLOW_NAME,
Expand Down Expand Up @@ -141,7 +142,8 @@ export class MenuComponent implements OnInit, OnDestroy {
private reportGenerationService: ReportGenerationService,
private panelService: PanelService,
private computingUnitStatusService: ComputingUnitStatusService,
protected config: GuiConfigService
protected config: GuiConfigService,
private router: Router
) {
workflowWebsocketService
.subscribeToEvent("ExecutionDurationUpdateEvent")
Expand Down Expand Up @@ -262,7 +264,7 @@ export class MenuComponent implements OnInit, OnDestroy {
}

public async onClickOpenShareAccess(): Promise<void> {
this.modalService.create({
const modalRef = this.modalService.create({
nzContent: ShareAccessComponent,
nzData: {
writeAccess: this.writeAccess,
Expand All @@ -276,6 +278,12 @@ export class MenuComponent implements OnInit, OnDestroy {
nzCentered: true,
nzWidth: "800px",
});

modalRef.afterClose.pipe(untilDestroyed(this)).subscribe(result => {
if (result?.userRevokedOwnAccess) {
this.router.navigate([DASHBOARD_USER_WORKFLOW]);
}
});
}

// apply a behavior to the run button via bound variables
Expand Down
Loading