(airavata-portals) branch main updated: fix(portal): default is_gateway_admin under pure-token auth (Track D) (#162)

Mon, 08 Jun 2026 15:42:04 -0700 

This is an automated email from the ASF dual-hosted git repository.

yasithdev pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airavata-portals.git


The following commit(s) were added to refs/heads/main by this push:
     new 6e59bd3fa fix(portal): default is_gateway_admin under pure-token auth 
(Track D) (#162)
6e59bd3fa is described below

commit 6e59bd3fa9fb9cc70f70c90b0b982cf921fe1394
Author: Yasith Jayawardana <[email protected]>
AuthorDate: Mon Jun 8 18:40:59 2026 -0400

    fix(portal): default is_gateway_admin under pure-token auth (Track D) (#162)
    
    Pure-token auth skips the session-based gateway_groups_middleware that set
    request.is_gateway_admin / is_read_only_gateway_admin, so serializers 
reading
    them (app modules, app interfaces, gateway resource profiles, user profiles)
    would raise AttributeError once a request returns data. Default them to
    non-admin in KeycloakTokenAuthentication (on both the DRF Request and the
    underlying HttpRequest).
    
    Real admin derivation (gRPC compute.get_gateway_groups +
    sharing.gm_get_all_groups_user_belongs, cached) is deferred until there is 
an
    admin gateway user to validate the group/field shapes against — same lesson 
as
    the sharing permission_type: don't ship unvalidated proto-field assumptions.
---
 .../django_airavata/apps/auth/token_authentication.py         | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git 
a/airavata-django-portal/django_airavata/apps/auth/token_authentication.py 
b/airavata-django-portal/django_airavata/apps/auth/token_authentication.py
index 33c285396..cb5811be7 100644
--- a/airavata-django-portal/django_airavata/apps/auth/token_authentication.py
+++ b/airavata-django-portal/django_airavata/apps/auth/token_authentication.py
@@ -89,6 +89,17 @@ class 
KeycloakTokenAuthentication(authentication.BaseAuthentication):
         if hasattr(request, '_request'):
             request._request.authz_token = authz_token
             request._request.user = user
+        # Several serializers read request.is_gateway_admin (it was set by the
+        # session-based gateway_groups_middleware, which pure-token auth 
skips).
+        # Default to non-admin so those serializers don't crash. TODO (D5): 
derive
+        # real admin status from gRPC — compute.get_gateway_groups() +
+        # sharing.gm_get_all_groups_user_belongs(username) — once there is an 
admin
+        # gateway user to validate the group/field shapes against, and cache 
it.
+        request.is_gateway_admin = False
+        request.is_read_only_gateway_admin = False
+        if hasattr(request, '_request'):
+            request._request.is_gateway_admin = False
+            request._request.is_read_only_gateway_admin = False
         return (user, token)
 
     def authenticate_header(self, request):

Reply via email to