From a2e6ba8a61c64606c3f1d5fde1f651e1ecfd9d3e Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Fri, 23 Jan 2026 09:53:30 -0800 Subject: [PATCH 1/4] Require a login to protect public folders against aggressive bots hitting this page on very large documents --- src/org/labkey/targetedms/TargetedMSController.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/org/labkey/targetedms/TargetedMSController.java b/src/org/labkey/targetedms/TargetedMSController.java index a376752e8..b018c76a6 100644 --- a/src/org/labkey/targetedms/TargetedMSController.java +++ b/src/org/labkey/targetedms/TargetedMSController.java @@ -4398,6 +4398,7 @@ public ModelAndView getHtmlView(final RunDetailsForm form, BindException errors) public abstract String getDataRegionNameSmallMolecule(); } + @RequiresLogin // Require a login to protect public folders against aggressive bots hitting this page on very large documents @RequiresPermission(ReadPermission.class) public class ShowTransitionListAction extends ShowRunSplitDetailsAction { From d27ad51614b2f1ac5c8c162a741a2b80253d12f0 Mon Sep 17 00:00:00 2001 From: vagisha Date: Tue, 27 Jan 2026 07:43:53 -0800 Subject: [PATCH 2/4] Require login for PrecursorAllChromatogramsChartAction and MoleculePrecursorAllChromatogramsChartAction --- src/org/labkey/targetedms/TargetedMSController.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/org/labkey/targetedms/TargetedMSController.java b/src/org/labkey/targetedms/TargetedMSController.java index b018c76a6..973854a2e 100644 --- a/src/org/labkey/targetedms/TargetedMSController.java +++ b/src/org/labkey/targetedms/TargetedMSController.java @@ -2217,6 +2217,7 @@ else if (MoleculeManager.getMolecule(getContainer(), gmChromInfo.getGeneralMolec } + @RequiresLogin @RequiresPermission(ReadPermission.class) public class PrecursorAllChromatogramsChartAction extends SimpleViewAction { @@ -2351,6 +2352,7 @@ private void pageToSelectedChromatogram(ChromatogramForm form, ChromatogramsData // No match found so no need to redirect } + @RequiresLogin @RequiresPermission(ReadPermission.class) public class MoleculePrecursorAllChromatogramsChartAction extends SimpleViewAction { From 3fe8a0d4bf4788edd1999177b393c9c57036fc34 Mon Sep 17 00:00:00 2001 From: vagisha Date: Tue, 27 Jan 2026 09:33:43 -0800 Subject: [PATCH 3/4] Comments --- src/org/labkey/targetedms/TargetedMSController.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/org/labkey/targetedms/TargetedMSController.java b/src/org/labkey/targetedms/TargetedMSController.java index 973854a2e..d2a4239f3 100644 --- a/src/org/labkey/targetedms/TargetedMSController.java +++ b/src/org/labkey/targetedms/TargetedMSController.java @@ -2217,7 +2217,7 @@ else if (MoleculeManager.getMolecule(getContainer(), gmChromInfo.getGeneralMolec } - @RequiresLogin + @RequiresLogin // Require a login to protect public folders against aggressive bots hitting this page on very large documents @RequiresPermission(ReadPermission.class) public class PrecursorAllChromatogramsChartAction extends SimpleViewAction { @@ -2352,7 +2352,7 @@ private void pageToSelectedChromatogram(ChromatogramForm form, ChromatogramsData // No match found so no need to redirect } - @RequiresLogin + @RequiresLogin // Require a login to protect public folders against aggressive bots hitting this page on very large documents @RequiresPermission(ReadPermission.class) public class MoleculePrecursorAllChromatogramsChartAction extends SimpleViewAction { From 1c660bc61ee61b304ba6e90061a3b2781b3ff2b1 Mon Sep 17 00:00:00 2001 From: vagisha Date: Wed, 28 Jan 2026 10:38:14 -0800 Subject: [PATCH 4/4] - Replaced @RequiresLogin with a custom view - Cap guest users at 50 rows in the chromatograms grid --- .../targetedms/TargetedMSController.java | 37 +++++++++++++++++-- .../query/ChromatogramGridQuerySettings.java | 11 +++++- 2 files changed, 44 insertions(+), 4 deletions(-) diff --git a/src/org/labkey/targetedms/TargetedMSController.java b/src/org/labkey/targetedms/TargetedMSController.java index d2a4239f3..123f4498b 100644 --- a/src/org/labkey/targetedms/TargetedMSController.java +++ b/src/org/labkey/targetedms/TargetedMSController.java @@ -134,6 +134,7 @@ import org.labkey.api.reports.report.ReportDescriptor; import org.labkey.api.security.ActionNames; import org.labkey.api.security.Group; +import org.labkey.api.security.LoginUrls; import org.labkey.api.security.RequiresLogin; import org.labkey.api.security.RequiresPermission; import org.labkey.api.security.SecurityManager; @@ -2217,7 +2218,6 @@ else if (MoleculeManager.getMolecule(getContainer(), gmChromInfo.getGeneralMolec } - @RequiresLogin // Require a login to protect public folders against aggressive bots hitting this page on very large documents @RequiresPermission(ReadPermission.class) public class PrecursorAllChromatogramsChartAction extends SimpleViewAction { @@ -2228,6 +2228,12 @@ public class PrecursorAllChromatogramsChartAction extends SimpleViewAction { @@ -2363,6 +2368,12 @@ public class MoleculePrecursorAllChromatogramsChartAction extends SimpleViewActi @Override public ModelAndView getView(ChromatogramForm form, BindException errors) { + if (getViewContext().getUser().isGuest()) + { + // Require a login to protect public folders against aggressive bots hitting this page on very large documents + return TargetedMSController.getLoginView(getViewContext(), getContainer()); + } + long precursorId = form.getId(); _precursor = MoleculePrecursorManager.getPrecursor(getContainer(), precursorId, getUser()); if (_precursor == null) @@ -4400,10 +4411,18 @@ public ModelAndView getHtmlView(final RunDetailsForm form, BindException errors) public abstract String getDataRegionNameSmallMolecule(); } - @RequiresLogin // Require a login to protect public folders against aggressive bots hitting this page on very large documents @RequiresPermission(ReadPermission.class) public class ShowTransitionListAction extends ShowRunSplitDetailsAction { + @Override + public ModelAndView getHtmlView(final RunDetailsForm form, BindException errors) throws Exception + { + return getViewContext().getUser().isGuest() + // Require a login to protect public folders against aggressive bots hitting this page on very large documents + ? TargetedMSController.getLoginView(getViewContext(), getContainer()) + : super.getHtmlView(form, errors); + } + @Override protected DocumentTransitionsView createQueryView(RunDetailsForm form, BindException errors, boolean forExport, String dataRegion) { @@ -4439,6 +4458,18 @@ public String getDataRegionNameSmallMolecule() } } + @NotNull + private static HtmlView getLoginView(ViewContext context, Container container) + { + return new HtmlView(DOM.createHtmlFragment( + DOM.DIV(cl("alert alert-info"), + "Please ", + DOM.A(at(style, "font-weight: bold;", + href, PageFlowUtil.urlProvider(LoginUrls.class).getLoginURL(container, context.getActionURL())), + "login"), + " to view this data"))); + } + @RequiresPermission(ReadPermission.class) public class ShowPrecursorListAction extends ShowRunSplitDetailsAction { diff --git a/src/org/labkey/targetedms/query/ChromatogramGridQuerySettings.java b/src/org/labkey/targetedms/query/ChromatogramGridQuerySettings.java index 20f374d6a..3f7d3f778 100644 --- a/src/org/labkey/targetedms/query/ChromatogramGridQuerySettings.java +++ b/src/org/labkey/targetedms/query/ChromatogramGridQuerySettings.java @@ -27,11 +27,13 @@ public class ChromatogramGridQuerySettings extends QuerySettings { private int _maxRowSize; + private static final int DEFAULT_ROWS = 10; + private static final int MAX_ROWS_FOR_GUESTS = 50; public ChromatogramGridQuerySettings(ViewContext context, String dataRegionName, boolean replicateChromatogramsGrouped) { super(dataRegionName); - setMaxRows(10); + setMaxRows(DEFAULT_ROWS); // On the peptide / molecule details page all the chromatograms from a replicate are displayed together. These are // the total precursor ion chromatogram and the fragment ion chromatograms from all the peptide / molecule precursors // In this case we set the default row size to 1 so that each row displays the chromatograms from a single replicate. @@ -46,6 +48,13 @@ public ChromatogramGridQuerySettings(ViewContext context, String dataRegionName, public void init(ViewContext context) { super.init(context); + + if (context.getUser().isGuest()) + { + // Multiple chart rendering requests are triggered per row. Cap guest users at 50 rows to prevent bot abuse on large documents + setMaxRows(Math.min(MAX_ROWS_FOR_GUESTS, getMaxRows())); + } + String param = _getParameter("maxRowSize"); if (param != null) {