Add job access checks for model invocations (cvat-ai#5392)

Fixes cvat-ai#4996
- Added job access checks for model launches in the interactive mode

Author: zhiltsov-max

CHANGELOG.md

@@ -90,6 +90,7 @@ non-ascii paths while adding files from "Connected file share" (issue #4428)
 - Fixed FBRS serverless function runtime error on images with alpha channel (<https://github.com/opencv/cvat/pull/5384>)
 - Attaching manifest with custom name (<https://github.com/opencv/cvat/pull/5377>)
 - Uploading non-zip annotaion files (<https://github.com/opencv/cvat/pull/5386>)
+- A permission problem with interactive model launches for workers in orgs (<https://github.com/opencv/cvat/issues/4996>)
 - Fix chart not being upgradable (<https://github.com/opencv/cvat/pull/5371>)
 - Broken helm chart - if using custom release name (<https://github.com/opencv/cvat/pull/5403>)
 - Missing source tag in project annotations (<https://github.com/opencv/cvat/pull/5408>)

cvat-ui/src/components/annotation-page/standard-workspace/controls-side-bar/tools-control.tsx

@@ -369,7 +369,8 @@ export class ToolsControlComponent extends React.PureComponent<Props, State> {
             try {
                 // run server request
                 this.setState({ fetching: true });
-                const response = await core.lambda.call(jobInstance.taskId, interactor, data);
+                const response = await core.lambda.call(jobInstance.taskId, interactor,
+                    { ...data, job: jobInstance.id });
 
                 // approximation with cv.approxPolyDP
                 const approximated = await this.approximateResponsePoints(response.points);
@@ -740,6 +741,7 @@ export class ToolsControlComponent extends React.PureComponent<Props, State> {
                         const response = await core.lambda.call(jobInstance.taskId, tracker, {
                             frame: frame - 1,
                             shapes: trackableObjects.shapes,
+                            job: jobInstance.id,
                         });
 
                         const { states: serverlessStates } = response;
@@ -787,6 +789,7 @@ export class ToolsControlComponent extends React.PureComponent<Props, State> {
                             frame,
                             shapes: trackableObjects.shapes,
                             states: trackableObjects.states,
+                            job: jobInstance.id,
                         });
 
                         response.shapes = response.shapes.map(trackedRectangleMapper);
@@ -1161,7 +1164,9 @@ export class ToolsControlComponent extends React.PureComponent<Props, State> {
                 runInference={async (model: Model, body: DetectorRequestBody) => {
                     try {
                         this.setState({ mode: 'detection', fetching: true });
-                        const result = await core.lambda.call(jobInstance.taskId, model, { ...body, frame });
+                        const result = await core.lambda.call(jobInstance.taskId, model, {
+                            ...body, frame, job: jobInstance.id,
+                        });
                         const states = result.map(
                             (data: any): any => {
                                 const jobLabel = (jobInstance.labels as Label[])

cvat/apps/engine/models.py

@@ -446,6 +446,9 @@ class Segment(models.Model):
     start_frame = models.IntegerField()
     stop_frame = models.IntegerField()
 
+    def contains_frame(self, idx: int) -> bool:
+        return self.start_frame <= idx and idx <= self.stop_frame
+
     class Meta:
         default_permissions = ()
 
@@ -472,6 +475,11 @@ def get_project_id(self):
         project = self.segment.task.project
         return project.id if project else None
 
+    @extend_schema_field(OpenApiTypes.INT)
+    def get_task_id(self):
+        task = self.segment.task
+        return task.id if task else None
+
     def get_organization_id(self):
         return self.segment.task.organization
 

cvat/apps/iam/permissions.py

@@ -365,12 +365,15 @@ class LambdaPermission(OpenPolicyAgentPermission):
     def create(cls, request, view, obj):
         permissions = []
         if view.basename == 'function' or view.basename == 'request':
-            for scope in cls.get_scopes(request, view, obj):
+            scopes = cls.get_scopes(request, view, obj)
+            for scope in scopes:
                 self = cls.create_base_perm(request, view, scope, obj)
                 permissions.append(self)
 
-            task_id = request.data.get('task')
-            if task_id:
+            if job_id := request.data.get('job'):
+                perm = JobPermission.create_scope_view_data(request, job_id)
+                permissions.append(perm)
+            elif task_id := request.data.get('task'):
                 perm = TaskPermission.create_scope_view_data(request, task_id)
                 permissions.append(perm)
 
@@ -879,6 +882,14 @@ def create(cls, request, view, obj):
 
         return permissions
 
+    @classmethod
+    def create_scope_view_data(cls, request, job_id):
+        try:
+            obj = Job.objects.get(id=job_id)
+        except Job.DoesNotExist as ex:
+            raise ValidationError(str(ex))
+        return cls(**cls.unpack_context(request), obj=obj, scope='view:data')
+
     def __init__(self, **kwargs):
         super().__init__(**kwargs)
         self.url = settings.IAM_OPA_DATA_URL + '/jobs/allow'