label-studio fix: Allow token-based authentication for local-files

fix: Allow token-based authentication for local-files

Open skyl4b opened this issue 10 months ago • 9 comments

PR fulfills these requirements

[x] Commit message(s) and PR title follows the format [fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made ex. fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
[ ] Tests for the changes have been added/updated (for bug fixes/features)
[ ] Docs have been added/updated (for bug fixes/features)
[ ] Best efforts were made to ensure docs/code are concise and coherent (checked for spelling/grammatical errors, commented out code, debug logs etc.)
[x] Self-reviewed and ran all changes on a local instance (for bug fixes/features)

Change has impacts in these area(s)

(check all that apply)

[ ] Product design
[ ] Backend (Database)
[x] Backend (API)
[ ] Frontend

Describe the reason for change

As noted in issue #4095 and #2320, a “403 Forbidden” response is received upon a GET request for an image synched with the local-files cloud storage, even with an access token. This behavior differs from data upload directly through the interface.

What does this fix?

This change fixes the issue described, allowing for token-based authentication for images in the local-files cloud storage using the “api_view” decorator, limited to only GET based requests.

Does this change affect security?

Hopefully, this change doesn't affect Label Studio's security any more than allowing the GET requests described authenticated through tokens, however I'm not very familiar with Django and the REST API, therefore I'm not 100% sure there are no side effects.