Improve error messages for starting jobs on other orgs datasets

[frcroth]

URL of deployed dev instance (used for testing):

• https://___.webknossos.xyz

Steps to test:

• Make a dataset public
• Have a user of a different org access the dataset (user can be dataset manager and admin)
• Try AI Analysis
  • Not sure ow to test infer Mitochondria since this is marked as "Not yet available"
• Try running AI animation: This does not result in any error, but also does not show a popup interface. Not sure why ("Create animation" menu entry available but does not do anything #8189)

As I understand the runInference Job, it is not necessary there because the organization is taken from the user's identity anyway.

Issues:

• fixes Misleading error message when starting jobs for datasets of other organizations #8165

---

(Please delete unneeded items, merge only when none are left open)

• Updated changelog
• Removed dev-only changes like prints and application.conf edits
• Considered common edge cases

Summary by CodeRabbit

Release Notes

• New Features

  • Transitioned to asynchronous reading of image files on the datastore filesystem for improved efficiency.
  • Added organizationId to job parameters, enhancing context in job processing.

• Bug Fixes

  • Improved error messages related to job initiation on datasets from other organizations, providing clearer feedback.
  • Fixed performance issues when deleting multiple trees and bugs associated with importing NML files and deleting non-existing nodes.

• Improvements

  • Enhanced error handling and validation logic across job-related actions, ensuring users receive accurate and actionable information.
  • Updated error messages for various job permissions, clarifying restrictions based on dataset ownership.

[coderabbitai]

Walkthrough

The pull request introduces significant enhancements to the WEBKNOSSOS application, primarily focusing on error handling and validation improvements for job processing. Key changes include the implementation of asynchronous reading of image files, enhanced error messages related to job initiation on datasets from other organizations, and the addition of an organizationId parameter across various job-related functions. These modifications aim to provide clearer feedback and enforce stricter access controls based on organizational context.

Changes

Files	Change Summary
CHANGELOG.unreleased.md	Updated to document new features, including asynchronous image file reading and improved error messages.
app/controllers/AiModelController.scala	Enhanced error handling and validation logic; added organizationId field and localized error messages.
app/controllers/JobController.scala	Improved error handling and validation; updated method signatures to include organizationId.
conf/messages	Modified and added error messages for job permissions related to organizational access.
frontend/javascripts/admin/api/jobs.ts	Updated RunInferenceParameters type to include organizationId; adjusted runInferenceJob function.
frontend/javascripts/oxalis/view/action-bar/starting_job_modals.tsx	Enhanced job submission process; integrated organizationId into job parameters.

Assessment against linked issues

Objective	Addressed	Explanation
Misleading error message when starting jobs for datasets of other organizations (#8165)	✅
Improved error message for unauthorized organization access (#8165)	✅
Unified error messages across different job functions (#8165)	✅

Possibly related PRs

• Fix performance bottleneck when deleting a lot of trees at once #8176: This PR addresses a performance bottleneck when deleting multiple trees at once, which is directly related to the main PR's fix for performance issues when deleting multiple trees.
• Send right parameter to createNodeSkeletonAction #8185: This PR involves reverting a property name change from mag back to resolution, which is relevant as it aligns with the changes made in the main PR regarding the handling of node properties.
• Release 24.11.1 #8188: This release PR includes updates to the changelog that reflect the changes made in the main PR, particularly the fixes and enhancements related to performance and error handling.

Suggested labels

bug, frontend, new feature

Suggested reviewers

• MichaelBuessemeyer
• daniel-wer

Poem

In the meadow where data flows,
New features bloom, as progress shows.
With clearer messages, we guide the way,
Enhancements sprout, brightening the day.
So hop along, let’s celebrate,
For WEBKNOSSOS grows, it’s truly great! 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 841f8a7 and 4a36ac8.

📒 Files selected for processing (1)

• CHANGELOG.unreleased.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• CHANGELOG.unreleased.md

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (7)

CHANGELOG.unreleased.md (1)

30-30: Enhance the changelog entry with more details about the error message improvements.

While the entry correctly documents the change, it could be more descriptive to help users understand the improvements made. Consider expanding it to better reflect the scope of changes:

-- Improved error messages for starting jobs on datasets from other organizations. [#8181](https://github.com/scalableminds/webknossos/pull/8181)
+- Improved error messages when starting jobs (e.g., render_animation, nuclei inferral) on datasets from other organizations. Users now receive clear feedback about organization access restrictions instead of generic "organization not found" errors. [#8181](https://github.com/scalableminds/webknossos/pull/8181)

app/controllers/AiModelController.scala (1)

178-180: Improve code formatting for readability

The multi-line Messages call could be more concise:

-        dataset <- datasetDAO.findOneByNameAndOrganization(request.body.datasetName, organization._id) ?~> Messages(
-          "dataset.notFound",
-          request.body.datasetName)
+        dataset <- datasetDAO.findOneByNameAndOrganization(request.body.datasetName, organization._id) ?~> 
+          Messages("dataset.notFound", request.body.datasetName)

conf/messages (1)

336-336: Consider providing more specific guidance about invalid additional coordinates.

The current message job.additionalCoordinates.invalid could be more helpful by indicating what makes the coordinates invalid (e.g., format, range, missing required values).

Consider using a more specific message like:

-job.additionalCoordinates.invalid = The passed additional coordinates are invalid.
+job.additionalCoordinates.invalid = The passed additional coordinates are invalid. Expected format: <expected_format> with values in range <valid_range>.

app/controllers/JobController.scala (4)

127-127: Consider refactoring organization validation into a helper function

The logic for validating the user's organization is duplicated across multiple methods. Extracting this into a helper function would reduce code duplication and improve maintainability.

---

449-449: Ensure consistent access context when retrieving user organization

The retrieval of userOrganization does not use GlobalAccessContext. Verify that access controls are correctly handled and consistent with other organization lookups.

---

Line range hint 449-456: Consider refactoring pricing plan checks into a helper function

The pricing plan validations are specific to PricingPlan.Basic. Refactoring these checks into a dedicated method would improve readability and maintainability.

---

Line range hint 127-449: Consolidate organization access and validation logic

The repeated pattern of retrieving and validating organization access could be consolidated into a shared helper function to reduce duplication and enhance code clarity.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 015016b and ff0d6d1.

📒 Files selected for processing (4)

• CHANGELOG.unreleased.md (1 hunks)
• app/controllers/AiModelController.scala (3 hunks)
• app/controllers/JobController.scala (6 hunks)
• conf/messages (4 hunks)

🔇 Additional comments (11)

app/controllers/AiModelController.scala (2)

21-21: LGTM: Messages import for localization

The addition of Messages import enables proper localization of error messages, which aligns with the PR objective of improving error message clarity.

---

139-139: LGTM: Organization validation for training jobs

The organization validation check ensures users can only train models on datasets from their own organization, with an appropriate FORBIDDEN response and localized error message.

Let's verify the error message is properly defined:

✅ Verification successful

Verified: Organization validation and error message defined properly

The organization validation check is correctly implemented, and the associated error message is properly defined in the messages configuration.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the error message key is defined in the messages file
rg "job\.trainModel\.notAllowed\.organization\s*=" conf/

Length of output: 187

conf/messages (3)

141-141: LGTM! Clear and consistent error message.

The new zarr error message follows the existing pattern and clearly communicates the requirement.

---

153-154: LGTM! Clear and consistent error messages.

The new NML error messages follow the existing pattern and use placeholders consistently.

---

Line range hint 324-335: LGTM! Clear and consistent organization restriction messages.

The new error messages for job operations follow a consistent pattern and clearly communicate that these operations are restricted to datasets within the user's organization. This directly addresses the PR objectives by replacing vague error messages with clear, actionable feedback.

app/controllers/JobController.scala (6)

266-268: Duplicate comment on GlobalAccessContext usage

Refer to the earlier comment about verifying the use of GlobalAccessContext in organization lookups.

---

300-302: Duplicate comment on GlobalAccessContext usage

As noted previously, please verify that using GlobalAccessContext here is secure and appropriate.

---

421-423: Duplicate comment on GlobalAccessContext usage

Please see the prior comments regarding the verification of GlobalAccessContext usage.

---

445-447: Duplicate comment on GlobalAccessContext usage

Again, ensure that the use of GlobalAccessContext does not introduce security risks.

---

Line range hint 266-272: Ensure inferMitochondria job restriction aligns with permissions model

Confirm that limiting the inferMitochondria job to superusers is consistent with business requirements. Ensure that appropriate error messages are provided to users who are not superusers.

---

233-235: ⚠️ Potential issue

Verify the use of GlobalAccessContext in organization lookup

Using GlobalAccessContext in organizationDAO.findOne(organizationId)(GlobalAccessContext) bypasses default access controls. Ensure this is intentional and does not expose organization data to unauthorized users. If necessary, consider using a more restrictive context or adding access checks.

[coderabbitai]

⚠️ Potential issue

Add explicit organization validation for inference jobs

While the code validates the dataset belongs to the organization during lookup, it should have an explicit organization check similar to runTraining for consistency. This aligns with the PR objective of standardizing organization access checks.

         dataset <- datasetDAO.findOneByNameAndOrganization(request.body.datasetName, organization._id) ?~> 
           Messages("dataset.notFound", request.body.datasetName)
+        _ <- bool2Fox(request.identity._organization == dataset._organization) ?~> "job.inferWithModel.notAllowed.organization" ~> FORBIDDEN
         dataStore <- dataStoreDAO.findOneByName(dataset._dataStore) ?~> "dataStore.notFound"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	dataset <- datasetDAO.findOneByNameAndOrganization(request.body.datasetName, organization._id) ?~> Messages(
	"dataset.notFound",
	request.body.datasetName)
	dataset <- datasetDAO.findOneByNameAndOrganization(request.body.datasetName, organization._id) ?~> Messages(
	"dataset.notFound",
	request.body.datasetName)
	_ <- bool2Fox(request.identity._organization == dataset._organization) ?~> "job.inferWithModel.notAllowed.organization" ~> FORBIDDEN

[fm3]

Looking good!

As I understand the runInference Job, it is not necessary there because the organization is taken from the user's identity anyway.

Yes, not sure why, to be honest. I think it would be better to change the RunInferenceParameters to include the organizationId. Could you maybe do this here? Not sure how simple adapting the frontend is, but I would hope it can be done the same way as for runTraining?

Also, could you write an issue detailing that the renderAnimation modal does not show up, as you mentioned in person? I think that there, too, we should have either an explanation or the menu item shouldn’t be there in the first place.

[fm3]

I think this one can go, we lifted that restriction

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

frontend/javascripts/admin/api/jobs.ts (1)

Line range hint 357-357: Remove commented-out parameter

The commented-out maskAnnotationLayerName parameter should be removed. If this is a planned feature, it should be tracked in the issue tracker instead.

frontend/javascripts/oxalis/view/action-bar/starting_job_modals.tsx (1)

Line range hint 574-583: Enhance error messages for organization-related failures.

The current error message is generic and doesn't specifically indicate when a job fails due to organization access issues. Consider making the error message more informative.

       Toast.error(
-        `The ${jobName} job could not be started. Please contact an administrator or look in the console for more details.`,
+        `The ${jobName} job could not be started. ${
+          error.message?.includes("organization")
+            ? "You don't have permission to start jobs on datasets from other organizations."
+            : "Please contact an administrator or look in the console for more details."
+        }`,
       );

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between ff0d6d1 and 5815fab.

📒 Files selected for processing (4)

• app/controllers/AiModelController.scala (5 hunks)
• conf/messages (4 hunks)
• frontend/javascripts/admin/api/jobs.ts (1 hunks)
• frontend/javascripts/oxalis/view/action-bar/starting_job_modals.tsx (1 hunks)

🔇 Additional comments (10)

frontend/javascripts/admin/api/jobs.ts (2)

Line range hint 359-363: LGTM: Proper implementation of runInferenceJob

The function correctly handles the new organizationId parameter and follows the established patterns for job functions in the codebase.

---

351-351: LGTM: Addition of organizationId parameter aligns with PR objectives

The addition of the required organizationId field to RunInferenceParameters is consistent with other job functions in the file and supports the PR's goal of improving organization-related error handling.

Let's verify that all job-related functions consistently handle organization IDs:

app/controllers/AiModelController.scala (3)

22-22: LGTM: Messages import for i18n support

The addition of Messages import enables localized error messages, which aligns with the PR objective of improving error message clarity.

---

141-141: LGTM: Added organization validation for training jobs

The added check ensures users can only train models on datasets from their own organization, with a clear FORBIDDEN response when validation fails.

---

179-182: LGTM: Enhanced organization validation for inference jobs

The changes implement proper organization validation with clear error messages:

1. Explicit organization lookup with user-friendly error message
2. Organization access check with FORBIDDEN response

conf/messages (3)

141-141: LGTM: Clear and consistent error message

The new zarr error message follows the established pattern and clearly communicates the validation requirement.

---

153-154: LGTM: Well-structured NML validation messages

The new NML error messages maintain consistency with existing messages and provide clear validation feedback.

---

Line range hint 324-337: LGTM: Comprehensive and consistent job permission messages

The new error messages successfully address the PR objectives by:

• Providing clear, standardized messaging across all job types
• Explicitly stating the organization ownership requirement
• Maintaining consistent wording throughout

This implementation effectively resolves the confusion mentioned in issue #8165 regarding misleading error messages when starting jobs for datasets from other organizations.

frontend/javascripts/oxalis/view/action-bar/starting_job_modals.tsx (2)

832-834: LGTM: Consistent implementation across all job API calls.

The implementation of organizationId is consistent with other job API calls in the file, which use dataset.owningOrganization. This ensures uniform error handling for jobs started on datasets from other organizations.

---

832-832: Good addition of organizationId parameter.

The addition of organizationId parameter to runInferenceJob aligns with the PR objectives to improve error handling for jobs started on datasets from other organizations.

Let's verify if other job API calls in the file also include the organizationId parameter:

✅ Verification successful

All job API calls include the organizationId parameter.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if other job API calls include organizationId parameter
# Test: Search for job API calls. Expect: All job API calls should include organizationId.

rg -A 5 "start.*Job|runInference" --type ts

Length of output: 23824

[coderabbitai]

💡 Codebase verification

Issue: organizationId parameter not passed in runInferenceJob calls

• organizationId is not included in any runInferenceJob function calls in the frontend code, potentially leading to missing organization validation.

🔗 Analysis chain

LGTM: Added organizationId parameter for explicit organization validation

The addition of organizationId parameter enables proper organization validation before running inference jobs. This aligns with the PR objective of improving error handling for cross-organization access attempts.

Let's verify that the frontend is updated to pass this new parameter:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for RunInferenceParameters usage in frontend code
rg -t ts -t js "RunInferenceParameters|runInference.*organizationId"

Length of output: 246

---

Script:

#!/bin/bash
# Search for runInferenceJob calls with organizationId parameter
rg -t ts -t js 'runInferenceJob\s*\([^)]*organizationId'

Length of output: 58

---

Script:

#!/bin/bash
# List all runInferenceJob calls with their arguments for manual inspection
rg -t ts -t js 'runInferenceJob\s*\(([^)]*)\)' -A 2

Length of output: 336