Fix tutorial access from UI #7465
Conversation
When users opened tutorials from the UI (top-right menu), they received an "Access denied" error because tutorial files are created in temp directories that are outside the allowed directory for directory-based file routers. The CLI command `marimo tutorial intro` worked because it creates a `ListOfFilesAppFileRouter` specifically for that tutorial file, which doesn't perform directory validation. ### Solution Added temp directory tracking to `LazyListOfFilesAppFileRouter` to allow access to files in registered temp directories: Fixes #7424
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR fixes an "Access denied" error that occurred when users opened tutorials from the UI's top-right menu. The issue arose because tutorial files are created in temp directories outside the allowed base directory, causing directory-based file routers to reject access. The CLI command marimo tutorial intro worked because it uses a different router type that doesn't perform directory validation.
The solution adds temp directory tracking to LazyListOfFilesAppFileRouter:
- New methods
register_temp_dir()andis_file_in_allowed_temp_dir()manage allowed temp directories - Modified
get_file_manager()to skip directory validation for files in registered temp directories - Tutorial endpoint now registers its temp directory with the file router when using directory-based routing
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| marimo/_server/file_router.py | Added temp directory tracking to LazyListOfFilesAppFileRouter with register_temp_dir() and is_file_in_allowed_temp_dir() methods, and modified get_file_manager() to bypass validation for temp directory files |
| marimo/_server/api/endpoints/home.py | Updated tutorial endpoint to register temp directories with the file router when using LazyListOfFilesAppFileRouter |
| tests/_server/test_file_router.py | Added unit tests for temp directory registration and validation bypass behavior |
| tests/_server/api/endpoints/test_home.py | Added integration test verifying tutorial files remain accessible after being opened |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| self._allowed_temp_dirs.add(normalized_path) | ||
| LOGGER.debug("Registered allowed temp directory: %s", normalized_path) |
There was a problem hiding this comment.
The _allowed_temp_dirs set is mutated without synchronization, which could lead to race conditions when multiple tutorial endpoints are called concurrently. While Python's GIL provides some protection, iterating over the set in is_file_in_allowed_temp_dir (line 244) while it's being modified in register_temp_dir (line 227) can still cause RuntimeError. Consider using a thread-safe data structure or adding proper synchronization.
When users opened tutorials from the UI (top-right menu), they received an "Access denied" error because tutorial files are created in temp directories that are outside the allowed directory for directory-based file routers.
The CLI command
marimo tutorial introworked because it creates aListOfFilesAppFileRouterspecifically for that tutorial file, which doesn't perform directory validation.Solution
Added temp directory tracking to
LazyListOfFilesAppFileRouterto allow access to files in registered temp directories:Fixes #7424