Skip to content

Add a Targeted MS Guest Access setting to require a login for guests during heavy bot traffic#1259

Open
vagisha wants to merge 3 commits into
release26.3-SNAPSHOTfrom
26.3_fb_targetedms-require-login-toggle
Open

Add a Targeted MS Guest Access setting to require a login for guests during heavy bot traffic#1259
vagisha wants to merge 3 commits into
release26.3-SNAPSHOTfrom
26.3_fb_targetedms-require-login-toggle

Conversation

@vagisha

@vagisha vagisha commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Rationale

During heavy bot or crawler traffic against public folders on PanoramaWeb, the following actions are among the top targets:

  • targetedms-showProtein.view
  • targetedms-showPeptide.view
  • targetedms-showCalibrationCurve.view

This work adds a site-admin controlled setting (displayed on a server with the panoramapublic module) that can require a login for guests on those pages, so an anonymous crawler is sent to the login page. The setting is off by default, so normal public browsing is unchanged. It is meant to be turned on only when a bot attack is ongoing. This would be a better alternative to turning off guest access altogether.

Related Pull Requests

Changes

  • Added a site-admin console page "Targeted MS Guest Access" (GuestAccessSettingsAction) with a master switch that is off by default plus one checkbox per action that can be restricted.
  • The actions checked by default are: showProtein, showPeptide, showMolecule, and showCalibrationCurve.
  • The following actions are offered but off by default: showPrecursorList and four chart-image endpoints (showPeakAreas, showRetentionTimesChart, precursorChromatogramChart, groupChromatogramChart).
  • Detail pages show the inline login view to a blocked guest. The chart-image endpoints cannot return that HTML, so they redirect a blocked guest to the login page.
  • Settings are stored as site properties on the root container, and a change is recorded in the site-settings audit log.
  • The admin-console link appears only when the panoramapublic module is available on a server.
  • Added a Selenium test, TargetedMSGuestAccessTest, covering the detail pages, a chart endpoint, per-action independence, and confirming that pages already restricted to guests (e.g. the precursor all-chromatograms page) stay blocked whether the toggle is on or off.

Co-Authored-By: Claude noreply@anthropic.com

… access for targetedms actions targeted by bots.

* New admin-console page (GuestAccessSettingsAction) with a master switch, off by default, plus per-action checkboxes that require a login for guests on the  targetedms pages commonly targeted by anonymous bots, so guest users can be sent to login during a traffic spike.
* Gated showProtein, showPeptide, showMolecule, showCalibrationCurve (on by default), showPrecursorList, and four chart-image endpoints such as precursorChromatogramChart (off by default).
* Stored on the root container and audited on change, link shown only when panoramapublic module is enabled.
* Added a new TargetedMSGuestAccessTest.

Co-Authored-By: Claude <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a site-admin controllable “Targeted MS Guest Access” feature that can temporarily require authentication for selected TargetedMS endpoints frequently targeted by bots/crawlers, while keeping normal guest browsing unchanged when the master switch is off.

Changes:

  • Introduces a new site-admin settings UI (JSP + controller action) to toggle a master “require login” switch and per-action restrictions.
  • Implements guest-gating in several targetedms detail and chart-image endpoints (inline login view for HTML pages; redirect for image endpoints).
  • Adds Selenium coverage validating the toggle behavior, endpoint differences (HTML vs chart), and regression for an always-login page.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
test/src/org/labkey/test/tests/targetedms/TargetedMSGuestAccessTest.java New Selenium test covering the guest-access master/per-action gating behavior.
src/org/labkey/targetedms/view/guestAccessSettings.jsp New admin-console JSP for configuring the guest-access restrictions.
src/org/labkey/targetedms/TargetedMSModule.java Adds an Admin Console link to the new settings page when panoramapublic is available.
src/org/labkey/targetedms/TargetedMSController.java Adds the settings action/model and applies guest gating to selected actions/endpoints.
src/org/labkey/targetedms/GuestAccessManager.java New site-property backed manager for persisting and evaluating guest restriction settings.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/org/labkey/targetedms/TargetedMSController.java
Comment thread src/org/labkey/targetedms/GuestAccessManager.java Outdated
Comment thread test/src/org/labkey/test/tests/targetedms/TargetedMSGuestAccessTest.java Outdated
Comment thread src/org/labkey/targetedms/GuestAccessManager.java Outdated
vagisha and others added 2 commits July 11, 2026 20:46
* Gated showPrecursorList and showCalibrationCurves in getView so the login requirement covers their export/print URLs, not just the HTML page
* Renamed the showCalibrationCurve key to showCalibrationCurves to match the endpoint, and null-guarded the settings form binding to avoid a NPE
* Set a page title on the guest login-gate path for showPeptide/showMolecule (addNavTrail crumb was inside the _run guard), which the test framework requires
* Reported the enforced action set (not the saved checkboxes) in the audit entry when the master switch is off
* Extended the test: export-URL gate coverage, a real chart rendered from a live precursorChromInfoId, and snapshot/restore of the site-wide settings in setup/cleanup; fixed a Javadoc typo

Co-Authored-By: Claude <noreply@anthropic.com>
- Gate ShowCalibrationCurveAction (the single-curve page bots hit), not the
  ShowCalibrationCurvesAction list. It gates in validate() to skip building the
  curve, and addNavTrail always adds a crumb so the login-gate path has a title.
- RestrictableAction is now keyed by action class: actions gate via getClass()
  (forClass lookup), and the settings-page label comes from the registered action
  name, so a renamed action keeps working. Stored keys (enum name()) are unchanged.
- TargetedMSGuestAccessTest sets the master switch off explicitly in step 1, and
  restores the site-wide settings in @after so it runs under clean=false.

Co-Authored-By: Claude <noreply@anthropic.com>
@vagisha vagisha marked this pull request as ready for review July 12, 2026 21:13
@vagisha vagisha requested a review from labkey-jeckels July 13, 2026 04:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants