Spaces:

ai4data
/

data-use-annotation

Sleeping

rafmacalaba commited on 20 days ago

Commit

0880d65

1 Parent(s): b5036c8

fix: block document access for users not in annotator_config

Previously getUserAssignedDocs returned null when user wasn't found,
which the caller treated as 'no filter, show all docs'. Now returns
empty {} which correctly results in zero visible documents.

Files changed (1) hide show

app/api/documents/route.js +7 -6

app/api/documents/route.js CHANGED Viewed

@@ -3,8 +3,9 @@ import yaml from 'js-yaml';
 /**
  * Fetch annotator_config.yaml and return the doc list for a given user.
- * Returns null if no config or user not found (show all docs).
- * Now returns per-corpus assignments: { wbg: Set([1,2]), unhcr: Set([3,4]) }
  */
 async function getUserAssignedDocs(username) {
     if (!username) return null;
@@ -15,13 +16,13 @@ async function getUserAssignedDocs(username) {
             headers: { 'Authorization': `Bearer ${process.env.HF_TOKEN}` },
             cache: 'no-store'
         });
-        if (!res.ok) return null;
         const text = await res.text();
         const config = yaml.load(text);
         const annotator = (config.annotators || []).find(a => a.username === username);
-        if (!annotator || !annotator.docs) return null;
         // Support both old format (flat array) and new format (per-corpus object)
         if (Array.isArray(annotator.docs)) {
@@ -36,10 +37,10 @@ async function getUserAssignedDocs(username) {
                 result[corpusId] = new Set(docList);
             }
         }
-        return Object.keys(result).length > 0 ? result : null;
     } catch (e) {
         console.warn('Could not load annotator_config.yaml:', e.message);
-        return null;
     }
 }

 /**
  * Fetch annotator_config.yaml and return the doc list for a given user.
+ * Returns null only if no username is provided (unauthenticated).
+ * Returns empty {} if user is not in config (sees no docs).
+ * Returns per-corpus assignments: { wbg: Set([1,2]), unhcr: Set([3,4]) }
  */
 async function getUserAssignedDocs(username) {
     if (!username) return null;
             headers: { 'Authorization': `Bearer ${process.env.HF_TOKEN}` },
             cache: 'no-store'
         });
+        if (!res.ok) return {}; // config missing — block access
         const text = await res.text();
         const config = yaml.load(text);
         const annotator = (config.annotators || []).find(a => a.username === username);
+        if (!annotator || !annotator.docs) return {}; // user not in config — no docs
         // Support both old format (flat array) and new format (per-corpus object)
         if (Array.isArray(annotator.docs)) {
                 result[corpusId] = new Set(docList);
             }
         }
+        return result; // may be empty {} if user has no corpus assignments
     } catch (e) {
         console.warn('Could not load annotator_config.yaml:', e.message);
+        return {}; // on error, block access rather than show all
     }
 }