Projects with an access policy won't display `gsutil` command

Question

Projects with an access policy won't display `gsutil` command

briangow opened this issue 5 months ago · comments

Thanks to @elfeto for pointing out this issue. Projects that are attached to a GCP bucket and have an access policy won't display the gsutil command for downloading the files. Here is some relevant code:

       {% if is_authorized %}
        {% if project.allow_file_downloads %}
          {% if project.access_policy == AccessPolicy.CONTRIBUTOR_REVIEW %}
          {% endif %}
          {% if project.access_policy %}
            {% if project.compressed_storage_size %}
            {% endif %}
          {% else %}
            {% if project.gcp %}
              {% if project.gcp.sent_zip %}
              {% elif project.compressed_storage_size %}
              {% endif %}
              {% if project.gcp.sent_files %}
              {% endif %}
            {% elif project.compressed_storage_size %}
            {% endif %}
          {% endif %}

The

          {% else %}
            {% if project.gcp %}

won't get run since the project has an access_policy.

It will eventually go to: {% include "project/published_project_data_access.html" %} , which will always show:

         {% if project.gcp and project.gcp.sent_files %}
            <li><a href="{% url 'published_project_request_access' project.slug project.version 3 %}">Request access</a> to the files using the <a href="[https://console.cloud.google.com/storage/browser/{{](https://console.cloud.google.com/storage/browser/%7B%7B) project.gcp.bucket_name }}/">Google Cloud Storage Browser</a>. Login with a Google account is required.</li>
        {% endif %}

bemoody · Answer 1 · Fri Mar 08 2024 01:16:42 GMT+0800 (China Standard Time)

As far as I know, we don't have a local database of who has permission to access restricted Google Cloud buckets. The only way to know who has access is to ask Google.

If you visit one of those restricted projects, you should see something that says "click here to request access to the Google Cloud bucket", and if you click that link, it should add you to the access list, and then send you instructions by email.

There are a lot of problems with this, but this is where we are currently.

Brian Gow · Answer 2 · Tue Mar 12 2024 04:02:59 GMT+0800 (China Standard Time)

If you visit one of those restricted projects, you should see something that says "click here to request access to the Google Cloud bucket", and if you click that link, it should add you to the access list, and then send you instructions by email.

@bemoody , I believe the part you mention is working as expected. However, once the user is added to the access list and they return to the project page they will still see something like this "Request access to the files using the Google Cloud Storage Browser. Login with a Google account is required." as if they weren't added. However, if they click on the Google Cloud Storage Bucket link at this point they will be shown the files in the bucket.

Of course, we expect a different message with a gsutil command to be shown after the user is added to the access list.

bemoody · Answer 3 · Tue Mar 12 2024 22:34:36 GMT+0800 (China Standard Time)

Sorry, I replied in a hurry and should have been more clear.

Of course, we expect a different message with a gsutil command to be shown after the user is added to the access list.

I agree that would be preferable. But since we don't keep a copy of the access list, we have no idea whether the current user is on the access list or not. So we have never supported what you're describing.