Skip to content

fix: workflow access bugs#838

Open
Kevin Loftus (kevin-loftus-dept) wants to merge 1 commit into
stagingfrom
fix/workflow-access-bugs-july-2026
Open

fix: workflow access bugs#838
Kevin Loftus (kevin-loftus-dept) wants to merge 1 commit into
stagingfrom
fix/workflow-access-bugs-july-2026

Conversation

@kevin-loftus-dept

@kevin-loftus-dept Kevin Loftus (kevin-loftus-dept) commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Title*

fix: workflow access bugs — paginate catalog before filtering & stop denying workflows on "default on"

Type of Change*

  • New feature
  • Bug fix
  • Documentation update
  • Refactoring
  • Hotfix
  • Security patch
  • UI/UX improvement

Description

Fixes several related bugs in the laboratory workflow-access feature where granted workflows/pipelines could be invisible to lab users, and where enabling "new workflows by default" hid everything.

1. list-private-workflows only filtered the first page (AWS HealthOmics)
The lambda fetched a single page of PRIVATE workflows and then applied the access filter. Any granted workflow beyond the first page was hidden from every user, even though it appeared in the (fully paginated) admin workflow catalog. Added listAllPrivateWorkflows() to page through all results (maxResults: 100, following nextToken) before filtering. The response now returns the filtered { items } only, instead of spreading the raw paginated response (which leaked a misleading nextToken).

2. list-pipelines only filtered the first page (Seqera / NextFlow Tower)
Same class of bug for Seqera pipelines. Added listAllPipelines() that pages via offset/max, de-dupes by pipelineId, preserves caller-supplied search + workspaceId params, and returns the full set with a corrected totalSize before the access filter runs.

3. "Enable new workflows by default" denied the entire catalog
On the strict → default-on transition, the migration wrote a DENY row for every catalog workflow that wasn't explicitly allowed. Because default-on means "allowed unless explicitly denied," this produced the reported "toggle is on, but nobody can see any workflows" state. The migration now simply clears leftover strict-mode rows (redundant ALLOW rows and stale/spurious DENY rows) and never writes catalog DENY rows, landing the lab on a clean "allowed by default" state.

4. Unified catalog no longer enumerates SHARED workflows
buildUnifiedWorkflowCatalogForOrganization previously included HealthOmics SHARED workflows. Since the lab-facing endpoint only ever returns PRIVATE workflows, shared entries were grantable in the admin panel yet never visible to lab users. Shared-workflow enumeration (and its now-unused helper/imports) was removed so the admin catalog matches what labs can actually see.

Testing*

  • Updated list-private-workflows.lambda.test.ts to mock multi-page responses and assert the access filter is applied across every page (verifies listWorkflows is called for each page and both allowed workflows from separate pages are returned).
  • Updated laboratory-workflow-access-default-migration.test.ts for the new strict → default-on behavior: asserts no DENY rows are written and that both the redundant ALLOW and stale DENY rows are removed.
  • Full back-end unit suite passes locally (via the pre-commit hook).
  • Pending QA: replication of the original issues in the staging environment before merge.

Impact

  • Back-end only; no schema or API contract changes.
  • Extra AWS HealthOmics / Seqera API calls now that listing fully paginates — bounded by page size (100) and only for workflow/pipeline listing endpoints.
  • Behavior change: admin workflow catalog no longer lists HealthOmics SHARED workflows; toggling "enable new workflows by default" on will clear existing per-workflow access rows for that lab.

Additional Information

Branch is rebased onto the current staging (which was reset to match main) and contains a single commit, so the diff is limited to the six files of this fix.

Checklist*

  • No new errors or warnings have been introduced.
  • All tests pass successfully and new tests added as necessary.
  • Documentation has been updated accordingly.
  • Code adheres to the coding and style guidelines of the project.
  • Code has been commented in particularly hard-to-understand areas.

@kevin-loftus-dept Kevin Loftus (kevin-loftus-dept) force-pushed the fix/workflow-access-bugs-july-2026 branch from 8956b83 to 2d20fda Compare July 9, 2026 20:10
@kevin-loftus-dept Kevin Loftus (kevin-loftus-dept) marked this pull request as ready for review July 9, 2026 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants