From 4e47b8de13934961d237c5ffcfa2b05f5eab7d5f Mon Sep 17 00:00:00 2001
From: mvdbeek <m.vandenbeek@gmail.com>
Date: Thu, 23 May 2024 23:10:58 +0200
Subject: [PATCH] Restrict job_files access to jobs that are not terminal

That should fix https://sentry.galaxyproject.org/share/issue/c4eb157823c240d5a664ec6517354db2/
---
 lib/galaxy/webapps/galaxy/api/job_files.py  | 2 +-
 lib/galaxy/webapps/galaxy/api/job_tokens.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/galaxy/webapps/galaxy/api/job_files.py b/lib/galaxy/webapps/galaxy/api/job_files.py
index df2edf2415cb..9abc3363a017 100644
--- a/lib/galaxy/webapps/galaxy/api/job_files.py
+++ b/lib/galaxy/webapps/galaxy/api/job_files.py
@@ -182,7 +182,7 @@ def __authorize_job_access(self, trans, encoded_job_id, **kwargs):
 
         # Verify job is active. Don't update the contents of complete jobs.
         job = trans.sa_session.get(Job, job_id)
-        if job.finished:
+        if job.state not in Job.non_ready_states:
             error_message = "Attempting to read or modify the files of a job that has already completed."
             raise exceptions.ItemAccessibilityException(error_message)
         return job
diff --git a/lib/galaxy/webapps/galaxy/api/job_tokens.py b/lib/galaxy/webapps/galaxy/api/job_tokens.py
index 8853f33d62bd..5cc5e6e9b4a5 100644
--- a/lib/galaxy/webapps/galaxy/api/job_tokens.py
+++ b/lib/galaxy/webapps/galaxy/api/job_tokens.py
@@ -64,7 +64,7 @@ def __authorize_job_access(self, trans, encoded_job_id, job_key):
 
         # Verify job is active
         job = session.get(Job, job_id)
-        if job.finished:
+        if job.state not in Job.non_ready_states:
             error_message = "Attempting to get oidc token for a job that has already completed."
             raise exceptions.ItemAccessibilityException(error_message)
         return job