Codecov Report

❌ Patch coverage is 96.77419% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 95.17%. Comparing base (be81937) to head (e0afa19).
⚠️ Report is 1 commits behind head on main.

@@           Coverage Diff           @@
##             main    #1398   +/-   ##
=======================================
  Coverage   95.16%   95.17%           
=======================================
  Files          43       43           
  Lines        3080     3107   +27     
=======================================
+ Hits         2931     2957   +26     
- Misses        149      150    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

When running a plan with an unexpected instrument session, eg cm12345-2 I'm getting an error from blueapi that appears to come from tiled. Is the local compose environment using a service account or still relying on user authorisation?

Error: server error with this message: 403: Access policy rejects the provided access blob.
Permission denied not able to add the node http://localhost:8407/api/v1/metadata/

Running plans seems to work ok but I'm getting a 500 Internal Server Error when trying to access tiled through its docs UI.

Not sure if it's a bug on our side or theirs but from the tiled logs it's coming from the dls.py module

[...]
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/server/router.py", line 329, in search
tiled-1  |     entry = await get_entry(
tiled-1  |             ^^^^^^^^^^^^^^^^
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/server/dependencies.py", line 49, in get_entry
tiled-1  |     entry = await filter_for_access(
tiled-1  |             ^^^^^^^^^^^^^^^^^^^^^^^^
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/server/utils.py", line 104, in filter_for_access
tiled-1  |     await access_policy.allowed_scopes(
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/access_control/access_policies.py", line 562, in allowed_scopes
tiled-1  |     self.build_input(
tiled-1  |   File "/deploy/config/dls.py", line 101, in build_input
tiled-1  |     principal.type is PrincipalType.external
tiled-1  |     ^^^^^^^^^^^^^^
tiled-1  | AttributeError: 'NoneType' object has no attribute 'type'

Try going to localhost:4181 for tiled authenticated access

When running a plan with an unexpected instrument session, eg cm12345-2 I'm getting an error from blueapi that appears to come from tiled. Is the local compose environment using a service account or still relying on user authorisation?

Error: server error with this message: 403: Access policy rejects the provided access blob.
Permission denied not able to add the node http://localhost:8407/api/v1/metadata/

The service account only has permission for proposal 1 so this looks correct to me

Try going to localhost:4181 for tiled authenticated access

Sure but I'd expect a 401/403 rather than a 500

The service account only has permission for proposal 1 so this looks correct to me

I think I've misunderstood the premise here. I thought the service account could write anything.

The service account can only write data for a particular beamline or particular proposal or some sessions and these permissions can set here
If we give a beamline permission to write to anything they can potential delete stuff from any beamline as well that is why I have taken this approach.

The 500 error , I has been fixed

Create issue for the security vulnerability #1412