Add a Targeted MS Guest Access setting to require a login for guests during heavy bot traffic#1259
Open
vagisha wants to merge 3 commits into
Open
Add a Targeted MS Guest Access setting to require a login for guests during heavy bot traffic#1259vagisha wants to merge 3 commits into
vagisha wants to merge 3 commits into
Conversation
… access for targetedms actions targeted by bots. * New admin-console page (GuestAccessSettingsAction) with a master switch, off by default, plus per-action checkboxes that require a login for guests on the targetedms pages commonly targeted by anonymous bots, so guest users can be sent to login during a traffic spike. * Gated showProtein, showPeptide, showMolecule, showCalibrationCurve (on by default), showPrecursorList, and four chart-image endpoints such as precursorChromatogramChart (off by default). * Stored on the root container and audited on change, link shown only when panoramapublic module is enabled. * Added a new TargetedMSGuestAccessTest. Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds a site-admin controllable “Targeted MS Guest Access” feature that can temporarily require authentication for selected TargetedMS endpoints frequently targeted by bots/crawlers, while keeping normal guest browsing unchanged when the master switch is off.
Changes:
- Introduces a new site-admin settings UI (JSP + controller action) to toggle a master “require login” switch and per-action restrictions.
- Implements guest-gating in several targetedms detail and chart-image endpoints (inline login view for HTML pages; redirect for image endpoints).
- Adds Selenium coverage validating the toggle behavior, endpoint differences (HTML vs chart), and regression for an always-login page.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| test/src/org/labkey/test/tests/targetedms/TargetedMSGuestAccessTest.java | New Selenium test covering the guest-access master/per-action gating behavior. |
| src/org/labkey/targetedms/view/guestAccessSettings.jsp | New admin-console JSP for configuring the guest-access restrictions. |
| src/org/labkey/targetedms/TargetedMSModule.java | Adds an Admin Console link to the new settings page when panoramapublic is available. |
| src/org/labkey/targetedms/TargetedMSController.java | Adds the settings action/model and applies guest gating to selected actions/endpoints. |
| src/org/labkey/targetedms/GuestAccessManager.java | New site-property backed manager for persisting and evaluating guest restriction settings. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
* Gated showPrecursorList and showCalibrationCurves in getView so the login requirement covers their export/print URLs, not just the HTML page * Renamed the showCalibrationCurve key to showCalibrationCurves to match the endpoint, and null-guarded the settings form binding to avoid a NPE * Set a page title on the guest login-gate path for showPeptide/showMolecule (addNavTrail crumb was inside the _run guard), which the test framework requires * Reported the enforced action set (not the saved checkboxes) in the audit entry when the master switch is off * Extended the test: export-URL gate coverage, a real chart rendered from a live precursorChromInfoId, and snapshot/restore of the site-wide settings in setup/cleanup; fixed a Javadoc typo Co-Authored-By: Claude <noreply@anthropic.com>
- Gate ShowCalibrationCurveAction (the single-curve page bots hit), not the ShowCalibrationCurvesAction list. It gates in validate() to skip building the curve, and addNavTrail always adds a crumb so the login-gate path has a title. - RestrictableAction is now keyed by action class: actions gate via getClass() (forClass lookup), and the settings-page label comes from the registered action name, so a renamed action keeps working. Stored keys (enum name()) are unchanged. - TargetedMSGuestAccessTest sets the master switch off explicitly in step 1, and restores the site-wide settings in @after so it runs under clean=false. Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rationale
During heavy bot or crawler traffic against public folders on PanoramaWeb, the following actions are among the top targets:
This work adds a site-admin controlled setting (displayed on a server with the panoramapublic module) that can require a login for guests on those pages, so an anonymous crawler is sent to the login page. The setting is off by default, so normal public browsing is unchanged. It is meant to be turned on only when a bot attack is ongoing. This would be a better alternative to turning off guest access altogether.
Related Pull Requests
Changes
GuestAccessSettingsAction) with a master switch that is off by default plus one checkbox per action that can be restricted.showProtein,showPeptide,showMolecule, andshowCalibrationCurve.showPrecursorListand four chart-image endpoints (showPeakAreas,showRetentionTimesChart,precursorChromatogramChart,groupChromatogramChart).panoramapublicmodule is available on a server.Co-Authored-By: Claude noreply@anthropic.com