From 06479759d7602bbe911cc6733054d2ac08bad054 Mon Sep 17 00:00:00 2001
From: MontrealSergiy <sergeboroday@gmail.com>
Date: Tue, 23 Sep 2025 00:13:33 -0400
Subject: [PATCH 1/4] fix upload to bad dp #1544

---
 BrainPortal/app/controllers/userfiles_controller.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/BrainPortal/app/controllers/userfiles_controller.rb b/BrainPortal/app/controllers/userfiles_controller.rb
index 49ec78f2f..9ca7588c0 100644
--- a/BrainPortal/app/controllers/userfiles_controller.rb
+++ b/BrainPortal/app/controllers/userfiles_controller.rb
@@ -538,7 +538,9 @@ def create #:nodoc:
     rack_tempfile_size = upload_stream.tempfile.size
 
     # Get the data provider for the destination files.
-    data_provider_id   = params[:data_provider_id]
+    data_provider_id = params[:data_provider_id]
+
+    DataProvider.find_accessible_by_user(data_provider_id, current_user)
 
     # Where we'll keep a copy in the spawn() below
     tmpcontentfile     = "/tmp/#{Process.pid}-#{rand(10000).to_s}-#{basename}" # basename's extension is used later on

From b7fc5f34092281d66c7b2fb133f2fe35b8b96fc7 Mon Sep 17 00:00:00 2001
From: MontrealSergiy <sergeboroday@gmail.com>
Date: Tue, 23 Sep 2025 00:14:13 -0400
Subject: [PATCH 2/4] fix upload to bad dp test #1544

---
 .../spec/controllers/userfiles_controller_spec.rb   | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/BrainPortal/spec/controllers/userfiles_controller_spec.rb b/BrainPortal/spec/controllers/userfiles_controller_spec.rb
index 7db478e29..7f76c8baa 100644
--- a/BrainPortal/spec/controllers/userfiles_controller_spec.rb
+++ b/BrainPortal/spec/controllers/userfiles_controller_spec.rb
@@ -263,10 +263,11 @@ class << file; attr_reader :tempfile; end
 
       before(:each) do
         session[:session_id] = 'session_id'
-        allow(controller).to receive(:current_user).and_return(admin)
-        allow(Message).to    receive(:send_message)
-        allow(File).to       receive(:delete)
-        allow(controller).to receive(:system)
+        allow(controller).to   receive(:current_user).and_return(admin)
+        allow(Message).to      receive(:send_message)
+        allow(File).to         receive(:delete)
+        allow(controller).to   receive(:system)
+        allow(DataProvider).to receive(:find_accessible_by_user).and_return([data_provider])
       end
 
       it "should redirect to index if the upload file is blank" do
@@ -300,7 +301,7 @@ class << file; attr_reader :tempfile; end
           end
 
           it "should display an error message" do
-            post :create, params: { :upload_file => mock_upload_stream, :archive => "save", userfile: userfile}
+            post :create, params: { :upload_file => mock_upload_stream, :archive => "save", userfile: userfile, :data_provider_id => data_provider.id}
             expect(flash[:error]).to match(/File .+ could not be added./)
           end
         end
@@ -327,7 +328,7 @@ class << file; attr_reader :tempfile; end
 
             it "should copy the file to the local cache" do
               expect(mock_userfile).to receive(:cache_copy_from_local_file)
-              post :create, params: {:upload_file => mock_upload_stream, :archive => "save", userfile: userfile}
+              post :create, params: {:upload_file => mock_upload_stream, :archive => "save", userfile: userfile, :data_provider_id => data_provider.id}
             end
           end
 

From f7d7b7276e4423321a7836b1883c3bfa3108fb31 Mon Sep 17 00:00:00 2001
From: MontrealSergiy <sergeboroday@gmail.com>
Date: Tue, 30 Sep 2025 15:20:11 -0400
Subject: [PATCH 3/4] add a comment explaining dp access check in file upload

---
 BrainPortal/app/controllers/userfiles_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/BrainPortal/app/controllers/userfiles_controller.rb b/BrainPortal/app/controllers/userfiles_controller.rb
index 9ca7588c0..dcb16dfaa 100644
--- a/BrainPortal/app/controllers/userfiles_controller.rb
+++ b/BrainPortal/app/controllers/userfiles_controller.rb
@@ -540,6 +540,7 @@ def create #:nodoc:
     # Get the data provider for the destination files.
     data_provider_id = params[:data_provider_id]
 
+    # Verify that the DP is accessible to the user - this will raise an exception otherwise
     DataProvider.find_accessible_by_user(data_provider_id, current_user)
 
     # Where we'll keep a copy in the spawn() below

From c3dfd101e099fe8503ded9bf4844c71c0e2aaab9 Mon Sep 17 00:00:00 2001
From: MontrealSergiy <sergeboroday@gmail.com>
Date: Tue, 30 Sep 2025 15:27:27 -0400
Subject: [PATCH 4/4] simpler stub finder for file upload tests

---
 BrainPortal/spec/controllers/userfiles_controller_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/BrainPortal/spec/controllers/userfiles_controller_spec.rb b/BrainPortal/spec/controllers/userfiles_controller_spec.rb
index 7f76c8baa..f0ec1abe7 100644
--- a/BrainPortal/spec/controllers/userfiles_controller_spec.rb
+++ b/BrainPortal/spec/controllers/userfiles_controller_spec.rb
@@ -267,7 +267,7 @@ class << file; attr_reader :tempfile; end
         allow(Message).to      receive(:send_message)
         allow(File).to         receive(:delete)
         allow(controller).to   receive(:system)
-        allow(DataProvider).to receive(:find_accessible_by_user).and_return([data_provider])
+        allow(DataProvider).to receive(:find_accessible_by_user).and_return(data_provider)
       end
 
       it "should redirect to index if the upload file is blank" do