From 384938d98c64b8893901f2d6f6159e004fb7e49c Mon Sep 17 00:00:00 2001
From: David Manthey <david.manthey@kitware.com>
Date: Wed, 23 Nov 2022 08:31:39 -0500
Subject: [PATCH] Complete specifying token scopes.

---
 CHANGELOG.md                                  |  2 +-
 .../rest/large_image_resource.py              | 26 +++++++++----------
 girder/girder_large_image/rest/tiles.py       |  7 ++---
 3 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a26266d41..0df946726 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,7 @@
 - Better control dtype on multi sources ([#993](../../pull/993))
 - Don't use dask threads when using nd2 to fetch tiles ([#994](../../pull/994))
 - Set mime type for imported girder files ([#995](../../pull/995))
-- Specify token scopes for girder endpoint  ([#999](../../pull/999))
+- Specify token scopes for girder endpoints ([#999](../../pull/999), [#1000](../../pull/1000))
 
 ### Bug Fixes
 - Use open.read rather than download to access files in Girder ([#989](../../pull/989))
diff --git a/girder/girder_large_image/rest/large_image_resource.py b/girder/girder_large_image/rest/large_image_resource.py
index edf1c7cfd..8c70eb868 100644
--- a/girder/girder_large_image/rest/large_image_resource.py
+++ b/girder/girder_large_image/rest/large_image_resource.py
@@ -242,7 +242,7 @@ def __init__(self):
     @describeRoute(
         Description('Clear tile source caches to release resources and file handles.')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_WRITE)
     def cacheClear(self, params):
         before = cache_util.cachesInfo()
         cache_util.cachesClear()
@@ -257,7 +257,7 @@ def cacheClear(self, params):
     @describeRoute(
         Description('Get information on caches.')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_READ)
     def cacheInfo(self, params):
         return cache_util.cachesInfo()
 
@@ -279,7 +279,7 @@ def getPublicSettings(self, params):
                'specifications typically include width, height, encoding, and '
                'encoding options.', required=False)
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_READ)
     def countThumbnails(self, params):
         return self._countCachedImages(params.get('spec'))
 
@@ -290,7 +290,7 @@ def countThumbnails(self, params):
                'specified key', required=False)
         .notes('The imageKey can also be "tileFrames".')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_READ)
     def countAssociatedImages(self, params):
         return self._countCachedImages(
             None, associatedImages=True, imageKey=params.get('imageKey'))
@@ -338,7 +338,7 @@ def _countCachedImages(self, spec, associatedImages=False, imageKey=None):
                'making thumbnails.  0 or unspecified to base this on the '
                'number of reported cpus.', required=False, dataType='int')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_WRITE)
     def createThumbnails(self, params):
         self.requireParams(['spec'], params)
         try:
@@ -376,7 +376,7 @@ def createThumbnails(self, params):
                'specifications typically include width, height, encoding, and '
                'encoding options.', required=False)
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_WRITE)
     def deleteThumbnails(self, params):
         return self._deleteCachedImages(params.get('spec'))
 
@@ -385,7 +385,7 @@ def deleteThumbnails(self, params):
         .param('imageKey', 'If specific, only include images with the '
                'specified key', required=False)
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_WRITE)
     def deleteAssociatedImages(self, params):
         return self._deleteCachedImages(
             None, associatedImages=True, imageKey=params.get('imageKey'))
@@ -425,7 +425,7 @@ def _deleteCachedImages(self, spec, associatedImages=False, imageKey=None):
                'cancelled.  The return value is the number of items that were '
                'adjusted.')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_WRITE)
     def deleteIncompleteTiles(self, params):
         result = {'removed': 0}
         while True:
@@ -473,7 +473,7 @@ def listSources(self, params):
     @describeRoute(
         Description('Count the number of cached histograms for large_image items.')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_READ)
     def countHistograms(self, params):
         query = {
             'isLargeImageData': True,
@@ -486,7 +486,7 @@ def countHistograms(self, params):
     @describeRoute(
         Description('Delete cached histograms from large_image items.')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_WRITE)
     def deleteHistograms(self, params):
         query = {
             'isLargeImageData': True,
@@ -561,7 +561,7 @@ def _configValidate(self, config):
         .param('config', 'The contents of config file to validate.',
                paramType='body')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_WRITE)
     def configValidate(self, config):
         config = config.read().decode('utf8')
         return self._configValidate(config)
@@ -571,7 +571,7 @@ def configValidate(self, config):
         .param('config', 'The contents of config file to format.',
                paramType='body')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_WRITE)
     def configFormat(self, config):  # noqa
         config = config.read().decode('utf8')
         if len(self._configValidate(config)):
@@ -627,7 +627,7 @@ def configFormat(self, config):  # noqa
         .param('config', 'The new contents of config file.',
                paramType='body')
     )
-    @access.admin
+    @access.admin(scope=TokenScope.USER_AUTH)
     def configReplace(self, config, restart):
         config = config.read().decode('utf8')
         if len(self._configValidate(config)):
diff --git a/girder/girder_large_image/rest/tiles.py b/girder/girder_large_image/rest/tiles.py
index 18ffc26cd..c1302ceeb 100644
--- a/girder/girder_large_image/rest/tiles.py
+++ b/girder/girder_large_image/rest/tiles.py
@@ -546,7 +546,7 @@ def _getTile(self, item, z, x, y, imageArgs, mayRedirect=False):
     # LoadModelCache, three database lookups are avoided, which saves around
     # 6 ms in tests. We also avoid the @access.public decorator and directly
     # set the accessLevel attribute on the method.
-    #   @access.public(cookie=True)
+    #   @access.public(cookie=True, scope=TokenScope.DATA_READ)
     #   @loadmodel(model='item', map={'itemId': 'item'}, level=AccessType.READ)
     #   def getTile(self, item, z, x, y, params):
     #       return self._getTile(item, z, x, y, params, True)
@@ -561,6 +561,7 @@ def getTile(self, itemId, z, x, y, params):
         return self._getTile(item, z, x, y, params, mayRedirect=redirect)
     getTile.accessLevel = 'public'
     getTile.cookieAuth = True
+    getTile.requiredScopes = TokenScope.DATA_READ
 
     @describeRoute(
         Description('Get a large image tile with a frame number.')
@@ -1408,7 +1409,7 @@ def tileFramesQuadInfo(self, item, params):
         .errorResponse('ID was invalid.')
         .errorResponse('Read access was denied for the item.', 403)
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_READ)
     def listTilesThumbnails(self, item):
         return self.imageItemModel.removeThumbnailFiles(item, onlyList=True)
 
@@ -1420,6 +1421,6 @@ def listTilesThumbnails(self, item):
         .errorResponse('ID was invalid.')
         .errorResponse('Read access was denied for the item.', 403)
     )
-    @access.admin
+    @access.admin(scope=TokenScope.DATA_WRITE)
     def deleteTilesThumbnails(self, item, keep):
         return self.imageItemModel.removeThumbnailFiles(item, keep=keep or 0)