alois/Verso
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

compile: allow python package install for all users who can access the project
Build and Deploy Verso / deploy (push) Successful in 9m23s
Details

Browse Source 
Previously userCanInstallPython used ignorePublicAccess: true, which
blocked token-link users (not-yet-joined) and logged-in readers of public
projects from installing packages. This caused Quarto presentations with
Python cells to fail for shared read-only users even when the required
packages were already listed in requirements.vrf.

The security model is: what gets installed is fully controlled by
requirements.vrf, which is only writable by members with write access.
There is therefore no security reason to block other readers from
triggering installation of already-approved packages.

Drop ignorePublicAccess so all users with any privilege level (direct,
token-based, or public-project) can trigger the venv install.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
claude
2026-06-10 08:20:46 +00:00
parent 9c7a10aa39
commit 7fecaf491a
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/web/app/src/Features/Compile/PythonVenvGate.mjs
+6 -6
View File
@@ -4,10 +4,11 @@ import AuthorizationManager from '../Authorization/AuthorizationManager.mjs'
// Whether this user may have the compiler install a project's requirements.txt
// into a cached venv (so Quarto's Python cells can use libraries beyond the
// bundled base set). Gated to the project owner + invited collaborators (any
// role): ignorePublicAccess excludes link-sharing/public and anonymous users,
// who fall back to the base Python interpreter. Returns false when the feature
// is disabled or the privilege check fails.
// bundled base set). Allowed for any user who can access the project owner,
// invited collaborators, token-link users, and public-project readers — since
// the set of packages to install is already controlled by requirements.vrf
// (writable only by project members with write access). Returns false when the
// feature is disabled, the privilege check fails, or the user has no access.
export async function userCanInstallPython(userId, projectId) {
if (!Settings.enableProjectPythonVenv) {
return false
@@ -17,8 +18,7 @@ export async function userCanInstallPython(userId, projectId) {
await AuthorizationManager.promises.getPrivilegeLevelForProject(
userId,
projectId,
null,
{ ignorePublicAccess: true }
null
)
return Boolean(privilegeLevel)
} catch (err) {