**Feature request: biblio-gui should resolve git-annex symlinks when serving fil¶
Transcript¶
Feature request: biblio-gui should resolve git-annex symlinks when serving files
Problem¶
biblio-gui returns 403 Forbidden when serving docling artifact images that are git-annex managed. The image files are symlinks through .git/annex/objects/ that ultimately resolve to a RIA store (e.g. /storage2/ria-store/...). The web server refuses to follow the symlink chain.
Example:
GET /api/files/docling/sirota_2003_CommunicationNeocortex/sirota_2003_CommunicationNeocortex_artifacts/image_000003_....png -> 403 Forbidden
Symlink chain:
file.png -> ../../../../.git/annex/objects/K4/p6/MD5E-s296363--....png
-> /storage2/ria-store/.../annex/objects/K4/p6/MD5E-s296363--....png (real file, readable)
Proposed fix¶
When serving static files from the bib directory, resolve symlinks before serving (e.g. os.path.realpath() or equivalent). This is safe since biblio-gui already scopes file access to the bib directory tree. Options:
- Resolve symlinks in the file-serving endpoint -- use
Path.resolve()/os.path.realpath()before passing toFileResponse, and validate the resolved path is still under an allowed root (bib dir or known annex/RIA paths). - Configure the underlying server (uvicorn/starlette) to follow symlinks if it exposes that option.
Context¶
This affects any project using git-annex (especially with datalad + RIA stores) for PDF/image storage, which is the standard setup for pixecog and likely other managed bib directories.
Source context: pixecog¶
PixEcog (pixecog): Neuropixels and ECoG dataset and analysis
Recent commits:
6429574 untrack
614785c remove CI builds/ from tracking, add to gitignore
63f0884 pipeio notebook test
README:
type: readme
Quick Start for Collaborators¶
Follow this checklist to get started with Pixecog documentation and workflows.
🐀 Pixecog Project — Compact Overview¶
Core principles
- One immutable BIDS raw dataset (
raw/) as the canonical baseline - Each analysis pipeline ha