Skip to content

Feature request: biblio-gui should resolve git-annex symlinks when serving files

Problem

biblio-gui returns 403 Forbidden when serving docling artifact images that are git-annex managed. The image files are symlinks through .git/annex/objects/ that ultimately resolve to a RIA store (e.g. /storage2/ria-store/...). The web server refuses to follow the symlink chain.

Example: 

GET /api/files/docling/sirota_2003_CommunicationNeocortex/sirota_2003_CommunicationNeocortex_artifacts/image_000003_....png -> 403 Forbidden

Symlink chain: 

file.png -> ../../../../.git/annex/objects/K4/p6/MD5E-s296363--....png
  -> /storage2/ria-store/.../annex/objects/K4/p6/MD5E-s296363--....png  (real file, readable)

Proposed fix

When serving static files from the bib directory, resolve symlinks before serving (e.g. os.path.realpath() or equivalent). This is safe since biblio-gui already scopes file access to the bib directory tree. Options:

  1. Resolve symlinks in the file-serving endpoint -- use Path.resolve() / os.path.realpath() before passing to FileResponse, and validate the resolved path is still under an allowed root (bib dir or known annex/RIA paths).
  2. Configure the underlying server (uvicorn/starlette) to follow symlinks if it exposes that option.

Context

This affects any project using git-annex (especially with datalad + RIA stores) for PDF/image storage, which is the standard setup for pixecog and likely other managed bib directories.

Source context: pixecog

PixEcog (pixecog): Neuropixels and ECoG dataset and analysis

Recent commits: 

6429574 untrack
614785c remove CI builds/ from tracking, add to gitignore
63f0884 pipeio notebook test

README:

type: readme

Quick Start for Collaborators

Follow this checklist to get started with Pixecog documentation and workflows.

🐀 Pixecog Project — Compact Overview

Core principles

  • One immutable BIDS raw dataset (raw/) as the canonical baseline
  • Each analysis pipeline ha