Frontend spams backend API when exploring unauthorized API

[Aiosa]

When you have a weird situation in the settings of your cbioportal authorization such that you are able to see studies in the list which you are then prevented to view (for whatever reason), and you go:

• select a study you are not permitted to view
• click 'Explore selected studies'

The frontend scripts start DoSsing backend with queries to https://cbioportal.wsi-vault.bbmri-eric.eu/api/session/settings/fetch (roughly 50-60 requests / second, looks 'ugly close' enough to FPS).

[Aiosa]

When importing two studies (out of 2), both had this issue - authentication ON, study available in view, unable to open because of:

• first study: probably a bug in the API (crash on study that has no data for gene panel)
• second study: probably a bug in the authorization logics (still investigating)

100% success if you thought this is 'just some corner case' situation. Also do not forget that anyone can just create a given url without going through UI.

[TheMarvelFan]

Hi,

What's the latest on this issue?

[Aiosa]

Do you mean version? It is self-compiled 6.0.17-7-g631429dbb8-dirty. I was doing experiments with authorization. I did not find out why the second case showed a study in the option list (it was PUBLIC group, cbio configured to treat this name as public studies), but this issue might be due to my non-standard deployment. It vanished without trace. Maybe it was connected to how I started uploading studies to the fresh instance, I did not bother importing any test data, I started with my own studies right from the beginning. The first study import kind of supports this idea since it imported perfectly, but since it had no gene-panel data, the attempt to view the the study opened crashed the REST API. When I allowed empty query (image), the same issue happened - UI spamming backend.