From 7fecaf491ac7faf408ba0aae22feaac3205c6dd9 Mon Sep 17 00:00:00 2001 From: claude Date: Wed, 10 Jun 2026 08:20:46 +0000 Subject: [PATCH] compile: allow python package install for all users who can access the project Previously userCanInstallPython used ignorePublicAccess: true, which blocked token-link users (not-yet-joined) and logged-in readers of public projects from installing packages. This caused Quarto presentations with Python cells to fail for shared read-only users even when the required packages were already listed in requirements.vrf. The security model is: what gets installed is fully controlled by requirements.vrf, which is only writable by members with write access. There is therefore no security reason to block other readers from triggering installation of already-approved packages. Drop ignorePublicAccess so all users with any privilege level (direct, token-based, or public-project) can trigger the venv install. Co-Authored-By: Claude Sonnet 4.6 --- .../web/app/src/Features/Compile/PythonVenvGate.mjs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/services/web/app/src/Features/Compile/PythonVenvGate.mjs b/services/web/app/src/Features/Compile/PythonVenvGate.mjs index fb890ef28b..206098d0c4 100644 --- a/services/web/app/src/Features/Compile/PythonVenvGate.mjs +++ b/services/web/app/src/Features/Compile/PythonVenvGate.mjs @@ -4,10 +4,11 @@ import AuthorizationManager from '../Authorization/AuthorizationManager.mjs' // Whether this user may have the compiler install a project's requirements.txt // into a cached venv (so Quarto's Python cells can use libraries beyond the -// bundled base set). Gated to the project owner + invited collaborators (any -// role): ignorePublicAccess excludes link-sharing/public and anonymous users, -// who fall back to the base Python interpreter. Returns false when the feature -// is disabled or the privilege check fails. +// bundled base set). Allowed for any user who can access the project — owner, +// invited collaborators, token-link users, and public-project readers — since +// the set of packages to install is already controlled by requirements.vrf +// (writable only by project members with write access). Returns false when the +// feature is disabled, the privilege check fails, or the user has no access. export async function userCanInstallPython(userId, projectId) { if (!Settings.enableProjectPythonVenv) { return false @@ -17,8 +18,7 @@ export async function userCanInstallPython(userId, projectId) { await AuthorizationManager.promises.getPrivilegeLevelForProject( userId, projectId, - null, - { ignorePublicAccess: true } + null ) return Boolean(privilegeLevel) } catch (err) {