eugenegujing opened a new issue, #6427:
URL: https://github.com/apache/texera/issues/6427
### What happened?
When an authenticated user WITHOUT write access on a dataset calls the
sharing endpoints — `PUT /api/access/dataset/grant/{did}/{email}/{privilege}`
or `DELETE /api/access/dataset/revoke/{did}/{email}` — the request fails with
**500 Internal Server Error** and a bare `RuntimeException`, and the intended
permission message ("You do not have permission to modify dataset {did}") is
lost. Expected: **403 Forbidden** with that message.
Root cause:
`file-service/src/main/scala/org/apache/texera/service/resource/DatasetAccessResource.scala`
line 42 imports `javax.ws.rs.ForbiddenException`, but file-service runs on the
jakarta stack (Dropwizard 4 / Jersey 3) and has no javax JAX-RS implementation.
The javax classes are only present as API-only jars pulled in transitively by
the LakeFS SDK, which is why the wrong import compiles, but constructing the
javax exception needs a real implementation at runtime, so the constructor
itself throws a bare `RuntimeException: ClassNotFoundException` and the
`ForbiddenException` is never created. That RuntimeException is the 500. Access
control still holds (the unauthorized grant/revoke does not execute); only the
status code and error message are wrong.
### How to reproduce?
Found while writing unit test coverage for `DatasetAccessResource`. The
deny-path tests were written to assert the documented behavior and failed on
the first run:
1. Set up a private dataset owned by user A and a second user B with no
access (users and dataset inserted via the jOOQ DAOs into the embedded test
database).
2. Call `new DatasetAccessResource().grantAccess(did, emailOfB, "READ",
sessionUserOfB)` and assert it throws `ForbiddenException`.
3. The test fails: instead of `ForbiddenException`, the call throws a bare
`java.lang.RuntimeException: java.lang.ClassNotFoundException:
com.sun.ws.rs.ext.RuntimeDelegateImpl` — the javax `ForbiddenException`
constructor blows up before the exception is even created. The same happens for
`revokeAccess` with a non-writer session, and for a READ-only grantee calling
`grantAccess`.
### Version/Branch
1.3.0-incubating-SNAPSHOT (main)
### Commit Hash (Optional)
_No response_
### What browsers are you seeing the problem on?
_No response_
### Relevant log output
```shell
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]