LabKey · vagisha · Jan 28, 2026 · Jan 23, 2026 · Jan 27, 2026 · Jan 27, 2026
diff --git a/src/org/labkey/targetedms/TargetedMSController.java b/src/org/labkey/targetedms/TargetedMSController.java
@@ -134,6 +134,7 @@
 import org.labkey.api.reports.report.ReportDescriptor;
 import org.labkey.api.security.ActionNames;
 import org.labkey.api.security.Group;
+import org.labkey.api.security.LoginUrls;
 import org.labkey.api.security.RequiresLogin;
 import org.labkey.api.security.RequiresPermission;
 import org.labkey.api.security.SecurityManager;
@@ -2227,6 +2228,12 @@ public class PrecursorAllChromatogramsChartAction extends SimpleViewAction<Chrom
         @Override
         public ModelAndView getView(ChromatogramForm form, BindException errors)
         {
+            if (getViewContext().getUser().isGuest())
+            {
+                // Require a login to protect public folders against aggressive bots hitting this page on very large documents
+                return TargetedMSController.getLoginView(getViewContext(), getContainer());
+            }
+
             long precursorId = form.getId();
             _precursor = PrecursorManager.getPrecursor(getContainer(), precursorId, getUser());
             if (_precursor == null)
@@ -2361,6 +2368,12 @@ public class MoleculePrecursorAllChromatogramsChartAction extends SimpleViewActi
         @Override
         public ModelAndView getView(ChromatogramForm form, BindException errors)
         {
+            if (getViewContext().getUser().isGuest())
+            {
+                // Require a login to protect public folders against aggressive bots hitting this page on very large documents
+                return TargetedMSController.getLoginView(getViewContext(), getContainer());
+            }
+
             long precursorId = form.getId();
             _precursor = MoleculePrecursorManager.getPrecursor(getContainer(), precursorId, getUser());
             if (_precursor == null)
@@ -4401,6 +4414,15 @@ public ModelAndView getHtmlView(final RunDetailsForm form, BindException errors)
     @RequiresPermission(ReadPermission.class)
     public class ShowTransitionListAction extends ShowRunSplitDetailsAction<DocumentTransitionsView>
     {
+        @Override
+        public ModelAndView getHtmlView(final RunDetailsForm form, BindException errors) throws Exception
+        {
+            return getViewContext().getUser().isGuest()
+                    // Require a login to protect public folders against aggressive bots hitting this page on very large documents
+                    ? TargetedMSController.getLoginView(getViewContext(), getContainer())
+                    : super.getHtmlView(form, errors);
+        }
+
         @Override
         protected DocumentTransitionsView createQueryView(RunDetailsForm form, BindException errors, boolean forExport, String dataRegion)
         {
@@ -4436,6 +4458,18 @@ public String getDataRegionNameSmallMolecule()
         }
     }
 
+    @NotNull
+    private static HtmlView getLoginView(ViewContext context, Container container)
+    {
+        return new HtmlView(DOM.createHtmlFragment(
+                DOM.DIV(cl("alert alert-info"),
+                        "Please ",
+                        DOM.A(at(style, "font-weight: bold;",
+                                 href, PageFlowUtil.urlProvider(LoginUrls.class).getLoginURL(container, context.getActionURL())),
+                                "login"),
+                        " to view this data")));
+    }
+
     @RequiresPermission(ReadPermission.class)
     public class ShowPrecursorListAction extends ShowRunSplitDetailsAction<DocumentPrecursorsView>
     {

diff --git a/src/org/labkey/targetedms/query/ChromatogramGridQuerySettings.java b/src/org/labkey/targetedms/query/ChromatogramGridQuerySettings.java
@@ -27,11 +27,13 @@
 public class ChromatogramGridQuerySettings extends QuerySettings
 {
     private int _maxRowSize;
+    private static final int DEFAULT_ROWS = 10;
+    private static final int MAX_ROWS_FOR_GUESTS = 50;
 
     public ChromatogramGridQuerySettings(ViewContext context, String dataRegionName, boolean replicateChromatogramsGrouped)
     {
         super(dataRegionName);
-        setMaxRows(10);
+        setMaxRows(DEFAULT_ROWS);
         // On the peptide / molecule details page all the chromatograms from a replicate are displayed together. These are
         // the total precursor ion chromatogram and the fragment ion chromatograms from all the peptide / molecule precursors
         // In this case we set the default row size to 1 so that each row displays the chromatograms from a single replicate.
@@ -46,6 +48,13 @@ public ChromatogramGridQuerySettings(ViewContext context, String dataRegionName,
     public void init(ViewContext context)
     {
         super.init(context);
+
+        if (context.getUser().isGuest())
+        {
+            // Multiple chart rendering requests are triggered per row. Cap guest users at 50 rows to prevent bot abuse on large documents
+            setMaxRows(Math.min(MAX_ROWS_FOR_GUESTS, getMaxRows()));
+        }
+
         String param = _getParameter("maxRowSize");
         if (param != null)
         {