From 65d29f9452d2d2a77f76b635fd4dba5a5be3d13e Mon Sep 17 00:00:00 2001
From: Lum <klum@labkey.com>
Date: Tue, 9 Jun 2026 16:26:43 -0700
Subject: [PATCH 01/11] Validate container permissions

---
 .../controllers/editscript/EditScriptForm.java   |  8 +++++++-
 .../flow/controllers/protocol/ProtocolForm.java  |  2 +-
 flow/src/org/labkey/flow/data/FlowProtocol.java  | 16 ++++++++++------
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/flow/src/org/labkey/flow/controllers/editscript/EditScriptForm.java b/flow/src/org/labkey/flow/controllers/editscript/EditScriptForm.java
index b8632153ff..cf9cb49bbd 100644
--- a/flow/src/org/labkey/flow/controllers/editscript/EditScriptForm.java
+++ b/flow/src/org/labkey/flow/controllers/editscript/EditScriptForm.java
@@ -73,7 +73,12 @@ public void reset()
     {
         try
         {
-            String scriptIdStr = getRequest().getParameter("scriptId");
+            ActionURL url = getViewContext().getActionURL();
+            // Read scriptId from the action URL (falling back to the request parameter) so it resolves under both
+            // real browser requests and in-JVM mock dispatch, mirroring how runId/compId below are read from the URL.
+            String scriptIdStr = url.getParameter("scriptId");
+            if (scriptIdStr == null)
+                scriptIdStr = getRequest().getParameter("scriptId");
             if (scriptIdStr == null)
             {
                 throw new NotFoundException("scriptId required");
@@ -92,6 +97,7 @@ public void reset()
             {
                 throw new NotFoundException("scriptId not found: " + scriptIdStr);
             }
+            flowObject.checkContainer(getContainer(), getUser(), url);
             _runCount = flowObject.getRunCount();
             step = FlowProtocolStep.fromRequest(getRequest());
             _run = FlowRun.fromURL(getViewContext().getActionURL(), getRequest(), getViewContext().getContainer(), getUser());
diff --git a/flow/src/org/labkey/flow/controllers/protocol/ProtocolForm.java b/flow/src/org/labkey/flow/controllers/protocol/ProtocolForm.java
index b1b7d75dc0..311d04c42c 100644
--- a/flow/src/org/labkey/flow/controllers/protocol/ProtocolForm.java
+++ b/flow/src/org/labkey/flow/controllers/protocol/ProtocolForm.java
@@ -35,7 +35,7 @@ public FlowProtocol getProtocol() throws UnauthorizedException
     {
         if (_protocol != null)
             return _protocol;
-        _protocol = FlowProtocol.fromURLRedirectIfNull(getUser(), getViewContext().getActionURL(), getRequest());
+        _protocol = FlowProtocol.fromURLRedirectIfNull(getUser(), getViewContext(), getRequest());
         return _protocol;
     }
 
diff --git a/flow/src/org/labkey/flow/data/FlowProtocol.java b/flow/src/org/labkey/flow/data/FlowProtocol.java
index c58bf74a9e..7cb03fbac6 100644
--- a/flow/src/org/labkey/flow/data/FlowProtocol.java
+++ b/flow/src/org/labkey/flow/data/FlowProtocol.java
@@ -16,6 +16,7 @@
 
 package org.labkey.flow.data;
 
+import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -70,6 +71,7 @@
 import org.labkey.api.view.RedirectException;
 import org.labkey.api.view.UnauthorizedException;
 import org.labkey.api.view.ViewBackgroundInfo;
+import org.labkey.api.view.ViewContext;
 import org.labkey.flow.controllers.FlowController;
 import org.labkey.flow.controllers.FlowParam;
 import org.labkey.flow.controllers.protocol.ProtocolController;
@@ -79,7 +81,6 @@
 import org.labkey.flow.query.FlowTableType;
 import org.labkey.flow.script.KeywordsJob;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.sql.ResultSet;
 import java.sql.SQLException;
@@ -149,15 +150,18 @@ static public boolean isDefaultProtocol(ExpProtocol protocol)
                 DEFAULT_PROTOCOL_NAME.equals(protocol.getName());
     }
 
-    static public FlowProtocol fromURL(User user, ActionURL url, HttpServletRequest request) throws UnauthorizedException
+    static public FlowProtocol fromURL(User user, ViewContext context, HttpServletRequest request) throws UnauthorizedException
     {
+        ActionURL url = context.getActionURL();
         FlowProtocol ret = fromProtocolId(getIntParam(url, request, FlowParam.experimentId));
         if (ret == null)
         {
-            ret = FlowProtocol.getForContainer(ContainerManager.getForPath(url.getExtraPath()));
+            ret = FlowProtocol.getForContainer(context.getContainer());
         }
         if (ret == null)
             return null;
+
+        ret.checkContainer(context.getContainer(), user, url);
         if (!ret.getContainer().hasPermission(user, ReadPermission.class))
         {
             throw new UnauthorizedException();
@@ -165,11 +169,11 @@ static public FlowProtocol fromURL(User user, ActionURL url, HttpServletRequest
         return ret;
     }
 
-    public static FlowProtocol fromURLRedirectIfNull(User user, ActionURL url, HttpServletRequest request)
+    public static FlowProtocol fromURLRedirectIfNull(User user, ViewContext context, HttpServletRequest request)
     {
-        FlowProtocol protocol = fromURL(user, url, request);
+        FlowProtocol protocol = fromURL(user, context, request);
         if (protocol == null)
-            throw new RedirectException(url.clone().setAction(FlowController.BeginAction.class));
+            throw new RedirectException(context.getActionURL().clone().setAction(FlowController.BeginAction.class));
 
         return protocol;
     }

From 21b78586bb9c5830cc11b675a15c20f05429a989 Mon Sep 17 00:00:00 2001
From: Lum <klum@labkey.com>
Date: Wed, 10 Jun 2026 12:20:21 -0700
Subject: [PATCH 02/11] More container scoping plus unit tests.

---
 flow/src/org/labkey/flow/FlowModule.java      |   3 +-
 .../flow/controllers/run/RunController.java   |   4 +
 .../persist/AbstractContainerScopingTest.java | 146 +++++++++++++++
 .../org/labkey/flow/persist/FlowManager.java  | 167 ++++++++++++++++++
 4 files changed, 319 insertions(+), 1 deletion(-)
 create mode 100644 flow/src/org/labkey/flow/persist/AbstractContainerScopingTest.java

diff --git a/flow/src/org/labkey/flow/FlowModule.java b/flow/src/org/labkey/flow/FlowModule.java
index cbe2d66b21..64ad66dc75 100644
--- a/flow/src/org/labkey/flow/FlowModule.java
+++ b/flow/src/org/labkey/flow/FlowModule.java
@@ -342,7 +342,8 @@ public Set<Class> getIntegrationTests()
             FlowController.TestCase.class,
             FlowProtocol.TestCase.class,
             PersistTests.class,
-            FlowManager.TestCase.class
+            FlowManager.TestCase.class,
+            FlowManager.ContainerScopingTestCase.class
         );
     }
 
diff --git a/flow/src/org/labkey/flow/controllers/run/RunController.java b/flow/src/org/labkey/flow/controllers/run/RunController.java
index 01dbc2a010..d1b2c9090e 100644
--- a/flow/src/org/labkey/flow/controllers/run/RunController.java
+++ b/flow/src/org/labkey/flow/controllers/run/RunController.java
@@ -232,6 +232,7 @@ public void validate(DownloadRunForm form, BindException errors)
                 errors.reject(ERROR_MSG, "run not found");
                 return;
             }
+            _run.checkContainer(getContainer(), getUser(), getActionURL());
 
             FlowWell[] wells = _run.getWells(true);
             if (wells.length == 0)
@@ -464,6 +465,7 @@ else if (form.getSendTo() == ExportAnalysisForm.SendTo.Script)
                     if (run == null)
                         throw new NotFoundException("Flow run not found");
 
+                    run.checkContainer(getContainer(), getUser(), getActionURL());
                     runs.add(run);
                 }
                 _runs = runs;
@@ -477,6 +479,7 @@ else if (wellId != null && wellId.length > 0)
                     if (well == null)
                         throw new NotFoundException("Flow well not found");
 
+                    well.checkContainer(getContainer(), getUser(), getActionURL());
                     wells.add(well);
                 }
                 _wells = wells;
@@ -941,6 +944,7 @@ public static class DownloadAttachmentAction extends BaseDownloadAction<Attachme
             {
                 throw new NotFoundException();
             }
+            run.checkContainer(getContainer(), getUser(), getViewContext().getActionURL());
 
             return new Pair<>(new ExpRunAttachmentParent(run.getExperimentRun()), form.getName());
         }
diff --git a/flow/src/org/labkey/flow/persist/AbstractContainerScopingTest.java b/flow/src/org/labkey/flow/persist/AbstractContainerScopingTest.java
new file mode 100644
index 0000000000..4368acfec7
--- /dev/null
+++ b/flow/src/org/labkey/flow/persist/AbstractContainerScopingTest.java
@@ -0,0 +1,146 @@
+package org.labkey.flow.persist;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.labkey.api.data.Container;
+import org.labkey.api.data.ContainerManager;
+import org.labkey.api.security.MutableSecurityPolicy;
+import org.labkey.api.security.SecurityManager;
+import org.labkey.api.security.SecurityPolicyManager;
+import org.labkey.api.security.User;
+import org.labkey.api.security.UserManager;
+import org.labkey.api.security.ValidEmail;
+import org.labkey.api.security.roles.Role;
+import org.labkey.api.util.JunitUtil;
+import org.labkey.api.util.TestContext;
+import org.labkey.api.view.ActionURL;
+import org.labkey.api.view.ViewServlet;
+import org.springframework.mock.web.MockHttpServletResponse;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Base class for "container scoping" (a.k.a. broken-object-level-authorization / BOLA / IDOR) integration tests. These
+ * tests verify that an action whose {@code @RequiresPermission} annotation is correct for the current container still
+ * rejects an object resolved by a global id that belongs to a <em>different</em> container.
+ *
+ * <p>The repeated scaffolding lives here so each subclass keeps only its data fixture and the action under test:
+ * <ul>
+ *   <li>{@link #createContainer(String)} — make a throwaway child of the junit container (auto-cleaned).</li>
+ *   <li>{@link #createUserInRole(Container, Class)} — make a user with a role assigned in <em>one</em> folder only
+ *       (auto-cleaned). Use this to obtain a caller who is, say, admin in folder A but has no rights in folder B.</li>
+ *   <li>{@link #get(ActionURL, User)} / {@link #post(ActionURL, User)} — dispatch an in-JVM request as a given user
+ *       and inspect the {@link MockHttpServletResponse} status. Parameters travel on the {@link ActionURL}.</li>
+ * </ul>
+ *
+ * <p>Note: WebDAV verbs (MOVE, PROPPATCH, ...) are not served through {@link ViewServlet} dispatch, so a WebDAV test
+ * should still use this class for its container/user fixtures but drive the verb through {@code WebdavServlet} itself.
+ */
+public abstract class AbstractContainerScopingTest extends Assert
+{
+    private static final Map<String, Object> FORM_HEADERS = Map.of("Content-Type", "application/x-www-form-urlencoded");
+
+    private final List<Container> _containers = new ArrayList<>();
+    private final List<User> _users = new ArrayList<>();
+
+    /** The site-admin user (from {@link TestContext}) that owns the test fixtures. */
+    protected User getAdmin()
+    {
+        return TestContext.get().getUser();
+    }
+
+    /**
+     * Create a throwaway child container of the junit container, named uniquely per test class, registered for
+     * automatic cleanup. Callers pass a short local name (e.g. "A"/"B"/"Source"); the class name is prepended so two
+     * test classes can both ask for "A" without colliding.
+     */
+    protected Container createContainer(String name)
+    {
+        Container junit = JunitUtil.getTestContainer();
+        Container c = ContainerManager.ensureContainer(junit.getParsedPath().append(getClass().getSimpleName() + "-" + name, true), getAdmin());
+        _containers.add(c);
+        return c;
+    }
+
+    /**
+     * Create a user that has {@code role} assigned in {@code scope} <em>only</em> (it has no rights in any other
+     * container), registered for automatic cleanup. This is the canonical way to build a caller who is privileged in
+     * one folder but not another. Do not use {@code LimitedUser} for this — that grants roles unconditionally in every
+     * container.
+     */
+    protected User createUserInRole(Container scope, Class<? extends Role> role) throws Exception
+    {
+        String email = getClass().getSimpleName().toLowerCase() + "-" + _users.size() + "@containerscoping.test";
+        User user = SecurityManager.addUser(new ValidEmail(email), null).getUser();
+        _users.add(user);
+        grantRole(user, scope, role);
+        return user;
+    }
+
+    /**
+     * Grant {@code role} to an existing {@code user} in {@code scope}, on top of any roles it already holds in that
+     * container. Use this to build a caller with different roles in different folders (e.g. delete rights in a source
+     * folder but only read access in a target folder).
+     */
+    protected void grantRole(User user, Container scope, Class<? extends Role> role) throws Exception
+    {
+        MutableSecurityPolicy policy = new MutableSecurityPolicy(scope.getPolicy());
+        policy.addRoleAssignment(user, role);
+        SecurityPolicyManager.savePolicyForTests(policy, getAdmin());
+    }
+
+    /**
+     * Dispatch a GET to the action addressed by {@code url} as {@code user}. Put request parameters on the URL. No
+     * request-body Content-Type is sent: a GET carries no body, and an "application/json" Content-Type would make an
+     * API action ({@code ReadOnlyApiAction}) try to parse the empty body as JSON and fail with 400 before its
+     * {@code execute()} runs. With no Content-Type the form binds from the URL parameters, as a real GET would.
+     */
+    protected MockHttpServletResponse get(ActionURL url, User user) throws Exception
+    {
+        return ViewServlet.GET(url, user, Map.of());
+    }
+
+    /** Dispatch a POST to the action addressed by {@code url} as {@code user}. Put request parameters on the URL. */
+    protected MockHttpServletResponse post(ActionURL url, User user) throws Exception
+    {
+        return ViewServlet.POST(url, user, FORM_HEADERS, null);
+    }
+
+    /** Assert that a dispatched response has the expected HTTP status code. */
+    protected void assertStatus(int expected, MockHttpServletResponse response)
+    {
+        assertEquals("Unexpected HTTP status", expected, response.getStatus());
+    }
+
+    @After
+    public void cleanupContainerScopingFixtures()
+    {
+        User admin = getAdmin();
+
+        for (User user : _users)
+        {
+            try
+            {
+                UserManager.deleteUser(user.getUserId());
+            }
+            catch (Exception ignored)
+            {
+            }
+        }
+        _users.clear();
+
+        for (Container c : _containers)
+        {
+            try
+            {
+                ContainerManager.deleteAll(c, admin);
+            }
+            catch (Exception ignored)
+            {
+            }
+        }
+        _containers.clear();
+    }
+}
diff --git a/flow/src/org/labkey/flow/persist/FlowManager.java b/flow/src/org/labkey/flow/persist/FlowManager.java
index 6e43a77375..1ed647064e 100644
--- a/flow/src/org/labkey/flow/persist/FlowManager.java
+++ b/flow/src/org/labkey/flow/persist/FlowManager.java
@@ -16,12 +16,14 @@
 
 package org.labkey.flow.persist;
 
+import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.collections4.iterators.ArrayIterator;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
+import org.junit.Before;
 import org.junit.Test;
 import org.labkey.api.audit.AuditLogService;
 import org.labkey.api.data.Aggregate;
@@ -46,6 +48,7 @@
 import org.labkey.api.exp.OntologyManager;
 import org.labkey.api.exp.PropertyDescriptor;
 import org.labkey.api.exp.api.ExpData;
+import org.labkey.api.exp.api.ExpRun;
 import org.labkey.api.exp.api.ExpSampleType;
 import org.labkey.api.exp.api.ExperimentService;
 import org.labkey.api.exp.query.SamplesSchema;
@@ -55,20 +58,30 @@
 import org.labkey.api.query.QueryService;
 import org.labkey.api.query.UserSchema;
 import org.labkey.api.security.User;
+import org.labkey.api.security.roles.EditorRole;
+import org.labkey.api.security.roles.ReaderRole;
 import org.labkey.api.util.DateUtil;
 import org.labkey.api.util.FileUtil;
 import org.labkey.api.util.UnexpectedException;
+import org.labkey.api.view.ActionURL;
 import org.labkey.flow.FlowModule;
 import org.labkey.flow.analysis.web.GraphSpec;
 import org.labkey.flow.analysis.web.StatisticSpec;
+import org.labkey.flow.controllers.FlowParam;
+import org.labkey.flow.controllers.editscript.ScriptController;
 import org.labkey.flow.controllers.executescript.AnalysisEngine;
+import org.labkey.flow.controllers.protocol.ProtocolController;
+import org.labkey.flow.controllers.run.RunController;
 import org.labkey.flow.data.AttributeType;
 import org.labkey.flow.data.FlowDataObject;
+import org.labkey.flow.data.FlowDataType;
 import org.labkey.flow.data.FlowProperty;
 import org.labkey.flow.data.FlowProtocol;
+import org.labkey.flow.data.FlowScript;
 import org.labkey.flow.data.ICSMetadata;
 import org.labkey.flow.query.FlowSchema;
 import org.labkey.flow.query.FlowTableType;
+import org.springframework.mock.web.MockHttpServletResponse;
 
 import java.net.URI;
 import java.sql.ResultSet;
@@ -1802,4 +1815,158 @@ public void metrics()
             assertNotNull(metrics.get("flowTempTableCount"));
         }
     }
+
+    public static class ContainerScopingTestCase extends AbstractContainerScopingTest
+    {
+        private Container _folderA;
+        private Container _folderB;
+        private User _admin;
+
+        @Before
+        public void setup()
+        {
+            // Regression test for FLOW-1. A FlowScript is addressed by a global scriptId.
+            _admin = getAdmin();
+            _folderA = createContainer("A");
+            _folderB = createContainer("B");
+        }
+
+        @Test
+        public void testScriptContainerScoping() throws Exception
+        {
+            // A flow script that lives in folder B.
+            FlowScript script = FlowScript.create(_admin, _folderB, "scope-test",
+                    "<script xmlns=\"http://www.labkey.org/data/xml/flowScript\"/>");
+            int scriptId = script.getScriptId();
+
+            // DownloadAction resolves the script through EditScriptForm; dispatch it against folder A while pointing
+            // scriptId at B's script -- the FLOW-1 attack shape (reaching a script that lives in another folder).
+            ActionURL foreignUrl = new ActionURL(ScriptController.DownloadAction.class, _folderA)
+                    .addParameter(FlowParam.scriptId.toString(), scriptId);
+
+            User readerAonly = createUserInRole(_folderA, ReaderRole.class);
+            assertStatus(HttpServletResponse.SC_NOT_FOUND, get(foreignUrl, readerAonly));
+
+            // Redirect branch: a caller who can read both folders is redirected to B (where its own permissions are
+            // re-enforced) instead of being served B's script from A's context. This is the core vulnerability:
+            // without checkContainer() in EditScriptForm.reset() the action streams B's script from folder A (200).
+            User readerAreaderB = createUserInRole(_folderA, ReaderRole.class);
+            grantRole(readerAreaderB, _folderB, ReaderRole.class);
+            MockHttpServletResponse resp = get(foreignUrl, readerAreaderB);
+            assertStatus(HttpServletResponse.SC_FOUND, resp);
+            String location = resp.getRedirectedUrl();
+            assertNotNull("Redirect must have a Location", location);
+            assertTrue("Redirect should target the script's own container, was: " + location, location.contains(_folderB.getPath()));
+
+            // valid case
+            ActionURL ownUrl = new ActionURL(ScriptController.DownloadAction.class, _folderB)
+                    .addParameter(FlowParam.scriptId.toString(), scriptId);
+            assertStatus(HttpServletResponse.SC_OK, get(ownUrl, _admin));
+        }
+
+        @Test
+        public void testProtocolContainerScoping() throws Exception
+        {
+            // Regression test for FLOW-2. A FlowProtocol is accessed by a global experimentId.
+            // A flow protocol that lives in folder B.
+            FlowProtocol protocolB = FlowProtocol.ensureForContainer(_admin, _folderB);
+            int experimentId = protocolB.getProtocol().getRowId();
+
+            // EditFCSAnalysisFilter is an UpdatePermission action; dispatch it against folder A while pointing
+            // experimentId at B's protocol -- the FLOW-2 attack shape (editor in A reaching a protocol in B).
+            ActionURL foreignUrl = new ActionURL(ProtocolController.EditFCSAnalysisFilterAction.class, _folderA)
+                    .addParameter(FlowParam.experimentId.toString(), experimentId);
+
+            User editorAonly = createUserInRole(_folderA, EditorRole.class);
+            assertStatus(HttpServletResponse.SC_NOT_FOUND, get(foreignUrl, editorAonly));
+
+            // Redirect branch: a caller who can edit folder A and read folder B is redirected to B (where its own
+            // permissions are re-enforced) instead of operating on B's protocol from A's context. This is the core
+            // vulnerability: without checkContainer() in fromURL() the action proceeds in folder A (HTTP 200).
+            User editorAreaderB = createUserInRole(_folderA, EditorRole.class);
+            grantRole(editorAreaderB, _folderB, ReaderRole.class);
+            MockHttpServletResponse resp = get(foreignUrl, editorAreaderB);
+            assertStatus(HttpServletResponse.SC_FOUND, resp);
+            String location = resp.getRedirectedUrl();
+            assertNotNull("Redirect must have a Location", location);
+            assertTrue("Redirect should target the protocol's own container, was: " + location, location.contains(_folderB.getPath()));
+
+            // valid case
+            ActionURL ownUrl = new ActionURL(ProtocolController.EditFCSAnalysisFilterAction.class, _folderB)
+                    .addParameter(FlowParam.experimentId.toString(), experimentId);
+            assertStatus(HttpServletResponse.SC_OK, get(ownUrl, _admin));
+        }
+
+        @Test
+        public void testExportAnalysisContainerScoping() throws Exception
+        {
+            // Regression test for FLOW-3 RunController.ExportAnalysis resolves
+            // URL supplied runId/wellId via the global FlowRun.
+            ExpData data = ExperimentService.get().createData(_folderB, FlowDataType.FCSFile, "scope-test-well");
+            URI dataFileURI = new URI("file:///attributes.flowdata.xml");
+            data.setDataFileURI(dataFileURI);
+            data.save(_admin);
+            AttributeSet attrs = new AttributeSet(ObjectType.fcsKeywords, dataFileURI);
+            attrs.setKeyword("keyword1", "value1");
+            AttributeSetHelper.save(attrs, _admin, data);
+            int wellId = data.getRowId();
+
+            // Point wellId at B's well while dispatching the export against folder A -- the FLOW-3 attack shape.
+            ActionURL foreignUrl = new ActionURL(RunController.ExportAnalysis.class, _folderA)
+                    .addParameter(FlowParam.wellId.toString(), wellId);
+
+            // Deny branch: a caller who can read folder A but has no rights in folder B must not learn B's well exists,
+            // nor export it -> 404.
+            User readerAonly = createUserInRole(_folderA, ReaderRole.class);
+            assertStatus(HttpServletResponse.SC_NOT_FOUND, post(foreignUrl, readerAonly));
+
+            // Redirect branch: a caller who can read both folders is redirected to B (where its own permissions are
+            // re-enforced) instead of having B's well exported from A's context. This is the core vulnerability: without
+            // checkContainer() in validateCommand() the action exports B's well from folder A.
+            User readerAreaderB = createUserInRole(_folderA, ReaderRole.class);
+            grantRole(readerAreaderB, _folderB, ReaderRole.class);
+            MockHttpServletResponse resp = post(foreignUrl, readerAreaderB);
+            assertStatus(HttpServletResponse.SC_FOUND, resp);
+            String location = resp.getRedirectedUrl();
+            assertNotNull("Redirect must have a Location", location);
+            assertTrue("Redirect should target the well's own container, was: " + location, location.contains(_folderB.getPath()));
+
+            ActionURL ownUrl = new ActionURL(RunController.ExportAnalysis.class, _folderB)
+                    .addParameter(FlowParam.wellId.toString(), wellId);
+            assertStatus(HttpServletResponse.SC_OK, post(ownUrl, _admin));
+        }
+
+        @Test
+        public void testRunDownloadContainerScoping() throws Exception
+        {
+            // Regression test for FLOW-4. RunController.DownloadAction (and
+            // DownloadAttachmentAction) resolve a run via RunForm.getRun() -> FlowRun.fromRunId() from a global runId
+            FlowProtocol protocolB = FlowProtocol.ensureForContainer(_admin, _folderB);
+            ExpRun expRun = ExperimentService.get().createExperimentRun(_folderB, "scope-test-run");
+            expRun.setProtocol(protocolB.getProtocol());
+            expRun.save(_admin);
+            int runId = expRun.getRowId();
+
+            ActionURL foreignUrl = new ActionURL(RunController.DownloadAction.class, _folderA)
+                    .addParameter(FlowParam.runId.toString(), runId);
+
+            User readerAonly = createUserInRole(_folderA, ReaderRole.class);
+            assertStatus(HttpServletResponse.SC_NOT_FOUND, get(foreignUrl, readerAonly));
+
+            // Redirect branch: a caller who can read both folders is redirected to B (where its own permissions are
+            // re-enforced) instead of having B's run streamed from A's context. This is the core vulnerability: without
+            // checkContainer() in DownloadAction.validate() the action streams B's run from folder A.
+            User readerAreaderB = createUserInRole(_folderA, ReaderRole.class);
+            grantRole(readerAreaderB, _folderB, ReaderRole.class);
+            MockHttpServletResponse resp = get(foreignUrl, readerAreaderB);
+            assertStatus(HttpServletResponse.SC_FOUND, resp);
+            String location = resp.getRedirectedUrl();
+            assertNotNull("Redirect must have a Location", location);
+            assertTrue("Redirect should target the run's own container, was: " + location, location.contains(_folderB.getPath()));
+
+            ActionURL ownUrl = new ActionURL(RunController.DownloadAction.class, _folderB)
+                    .addParameter(FlowParam.runId.toString(), runId);
+            assertStatus(HttpServletResponse.SC_OK, get(ownUrl, _admin));
+        }
+    }
 }

From fe53b58347ed7bfddd3ee6c3c8911b5ef89f96a5 Mon Sep 17 00:00:00 2001
From: Lum <klum@labkey.com>
Date: Wed, 10 Jun 2026 16:54:52 -0700
Subject: [PATCH 03/11] Container scoping for NAb

---
 .../persist/AbstractContainerScopingTest.java | 146 ------------------
 .../org/labkey/flow/persist/FlowManager.java  |   1 +
 .../org/labkey/nab/NabAssayController.java    |   9 ++
 nab/src/org/labkey/nab/NabManager.java        |  74 +++++++++
 nab/src/org/labkey/nab/NabModule.java         |   7 +
 5 files changed, 91 insertions(+), 146 deletions(-)
 delete mode 100644 flow/src/org/labkey/flow/persist/AbstractContainerScopingTest.java

diff --git a/flow/src/org/labkey/flow/persist/AbstractContainerScopingTest.java b/flow/src/org/labkey/flow/persist/AbstractContainerScopingTest.java
deleted file mode 100644
index 4368acfec7..0000000000
--- a/flow/src/org/labkey/flow/persist/AbstractContainerScopingTest.java
+++ /dev/null
@@ -1,146 +0,0 @@
-package org.labkey.flow.persist;
-
-import org.junit.After;
-import org.junit.Assert;
-import org.labkey.api.data.Container;
-import org.labkey.api.data.ContainerManager;
-import org.labkey.api.security.MutableSecurityPolicy;
-import org.labkey.api.security.SecurityManager;
-import org.labkey.api.security.SecurityPolicyManager;
-import org.labkey.api.security.User;
-import org.labkey.api.security.UserManager;
-import org.labkey.api.security.ValidEmail;
-import org.labkey.api.security.roles.Role;
-import org.labkey.api.util.JunitUtil;
-import org.labkey.api.util.TestContext;
-import org.labkey.api.view.ActionURL;
-import org.labkey.api.view.ViewServlet;
-import org.springframework.mock.web.MockHttpServletResponse;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-
-/**
- * Base class for "container scoping" (a.k.a. broken-object-level-authorization / BOLA / IDOR) integration tests. These
- * tests verify that an action whose {@code @RequiresPermission} annotation is correct for the current container still
- * rejects an object resolved by a global id that belongs to a <em>different</em> container.
- *
- * <p>The repeated scaffolding lives here so each subclass keeps only its data fixture and the action under test:
- * <ul>
- *   <li>{@link #createContainer(String)} — make a throwaway child of the junit container (auto-cleaned).</li>
- *   <li>{@link #createUserInRole(Container, Class)} — make a user with a role assigned in <em>one</em> folder only
- *       (auto-cleaned). Use this to obtain a caller who is, say, admin in folder A but has no rights in folder B.</li>
- *   <li>{@link #get(ActionURL, User)} / {@link #post(ActionURL, User)} — dispatch an in-JVM request as a given user
- *       and inspect the {@link MockHttpServletResponse} status. Parameters travel on the {@link ActionURL}.</li>
- * </ul>
- *
- * <p>Note: WebDAV verbs (MOVE, PROPPATCH, ...) are not served through {@link ViewServlet} dispatch, so a WebDAV test
- * should still use this class for its container/user fixtures but drive the verb through {@code WebdavServlet} itself.
- */
-public abstract class AbstractContainerScopingTest extends Assert
-{
-    private static final Map<String, Object> FORM_HEADERS = Map.of("Content-Type", "application/x-www-form-urlencoded");
-
-    private final List<Container> _containers = new ArrayList<>();
-    private final List<User> _users = new ArrayList<>();
-
-    /** The site-admin user (from {@link TestContext}) that owns the test fixtures. */
-    protected User getAdmin()
-    {
-        return TestContext.get().getUser();
-    }
-
-    /**
-     * Create a throwaway child container of the junit container, named uniquely per test class, registered for
-     * automatic cleanup. Callers pass a short local name (e.g. "A"/"B"/"Source"); the class name is prepended so two
-     * test classes can both ask for "A" without colliding.
-     */
-    protected Container createContainer(String name)
-    {
-        Container junit = JunitUtil.getTestContainer();
-        Container c = ContainerManager.ensureContainer(junit.getParsedPath().append(getClass().getSimpleName() + "-" + name, true), getAdmin());
-        _containers.add(c);
-        return c;
-    }
-
-    /**
-     * Create a user that has {@code role} assigned in {@code scope} <em>only</em> (it has no rights in any other
-     * container), registered for automatic cleanup. This is the canonical way to build a caller who is privileged in
-     * one folder but not another. Do not use {@code LimitedUser} for this — that grants roles unconditionally in every
-     * container.
-     */
-    protected User createUserInRole(Container scope, Class<? extends Role> role) throws Exception
-    {
-        String email = getClass().getSimpleName().toLowerCase() + "-" + _users.size() + "@containerscoping.test";
-        User user = SecurityManager.addUser(new ValidEmail(email), null).getUser();
-        _users.add(user);
-        grantRole(user, scope, role);
-        return user;
-    }
-
-    /**
-     * Grant {@code role} to an existing {@code user} in {@code scope}, on top of any roles it already holds in that
-     * container. Use this to build a caller with different roles in different folders (e.g. delete rights in a source
-     * folder but only read access in a target folder).
-     */
-    protected void grantRole(User user, Container scope, Class<? extends Role> role) throws Exception
-    {
-        MutableSecurityPolicy policy = new MutableSecurityPolicy(scope.getPolicy());
-        policy.addRoleAssignment(user, role);
-        SecurityPolicyManager.savePolicyForTests(policy, getAdmin());
-    }
-
-    /**
-     * Dispatch a GET to the action addressed by {@code url} as {@code user}. Put request parameters on the URL. No
-     * request-body Content-Type is sent: a GET carries no body, and an "application/json" Content-Type would make an
-     * API action ({@code ReadOnlyApiAction}) try to parse the empty body as JSON and fail with 400 before its
-     * {@code execute()} runs. With no Content-Type the form binds from the URL parameters, as a real GET would.
-     */
-    protected MockHttpServletResponse get(ActionURL url, User user) throws Exception
-    {
-        return ViewServlet.GET(url, user, Map.of());
-    }
-
-    /** Dispatch a POST to the action addressed by {@code url} as {@code user}. Put request parameters on the URL. */
-    protected MockHttpServletResponse post(ActionURL url, User user) throws Exception
-    {
-        return ViewServlet.POST(url, user, FORM_HEADERS, null);
-    }
-
-    /** Assert that a dispatched response has the expected HTTP status code. */
-    protected void assertStatus(int expected, MockHttpServletResponse response)
-    {
-        assertEquals("Unexpected HTTP status", expected, response.getStatus());
-    }
-
-    @After
-    public void cleanupContainerScopingFixtures()
-    {
-        User admin = getAdmin();
-
-        for (User user : _users)
-        {
-            try
-            {
-                UserManager.deleteUser(user.getUserId());
-            }
-            catch (Exception ignored)
-            {
-            }
-        }
-        _users.clear();
-
-        for (Container c : _containers)
-        {
-            try
-            {
-                ContainerManager.deleteAll(c, admin);
-            }
-            catch (Exception ignored)
-            {
-            }
-        }
-        _containers.clear();
-    }
-}
diff --git a/flow/src/org/labkey/flow/persist/FlowManager.java b/flow/src/org/labkey/flow/persist/FlowManager.java
index 1ed647064e..a659d9a3f8 100644
--- a/flow/src/org/labkey/flow/persist/FlowManager.java
+++ b/flow/src/org/labkey/flow/persist/FlowManager.java
@@ -58,6 +58,7 @@
 import org.labkey.api.query.QueryService;
 import org.labkey.api.query.UserSchema;
 import org.labkey.api.security.User;
+import org.labkey.api.security.permissions.AbstractContainerScopingTest;
 import org.labkey.api.security.roles.EditorRole;
 import org.labkey.api.security.roles.ReaderRole;
 import org.labkey.api.util.DateUtil;
diff --git a/nab/src/org/labkey/nab/NabAssayController.java b/nab/src/org/labkey/nab/NabAssayController.java
index 2f70bfdc32..44a971cd5f 100644
--- a/nab/src/org/labkey/nab/NabAssayController.java
+++ b/nab/src/org/labkey/nab/NabAssayController.java
@@ -234,6 +234,11 @@ public ModelAndView getView(RenderAssayForm form, BindException errors) throws E
             {
                 throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
             }
+
+            // GitHub Issue #1892: getExpRun() resolves by global rowId; ensure the run belongs to the current container
+            if (!run.getContainer().equals(getContainer()))
+                throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
+
             File file = getDataHandler(run).getDataFile(run);
             if (file == null)
             {
@@ -449,6 +454,10 @@ public void validateCommand(DeleteRunForm form, Errors errors)
             if (_run == null)
                 throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
 
+            // GitHub Issue #1892: getExpRun() resolves by global rowId; ensure the run belongs to the current container
+            if (!_run.getContainer().equals(getContainer()))
+                throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
+
             if (form.isReupload())
             {
                 _file = getDataHandler(_run).getDataFile(_run);
diff --git a/nab/src/org/labkey/nab/NabManager.java b/nab/src/org/labkey/nab/NabManager.java
index 7e57e87dd9..e2bb45b818 100644
--- a/nab/src/org/labkey/nab/NabManager.java
+++ b/nab/src/org/labkey/nab/NabManager.java
@@ -16,8 +16,11 @@
 
 package org.labkey.nab;
 
+import jakarta.servlet.http.HttpServletResponse;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.junit.Before;
+import org.junit.Test;
 import org.labkey.api.assay.AssayService;
 import org.labkey.api.data.ColumnInfo;
 import org.labkey.api.data.Container;
@@ -38,6 +41,10 @@
 import org.labkey.api.query.FieldKey;
 import org.labkey.api.query.QueryService;
 import org.labkey.api.security.User;
+import org.labkey.api.security.permissions.AbstractContainerScopingTest;
+import org.labkey.api.security.roles.EditorRole;
+import org.labkey.api.security.roles.ReaderRole;
+import org.labkey.api.view.ActionURL;
 import org.labkey.api.study.Dataset;
 import org.labkey.api.study.Study;
 import org.labkey.api.study.StudyService;
@@ -45,6 +52,7 @@
 import org.labkey.api.util.Pair;
 import org.labkey.nab.query.NabProtocolSchema;
 import org.labkey.nab.query.NabRunDataTable;
+import org.springframework.mock.web.MockHttpServletResponse;
 
 import java.sql.SQLException;
 import java.util.Collection;
@@ -206,4 +214,70 @@ public void getDataPropertiesFromNabRunData(NabRunDataTable nabRunDataTable, Str
             throw new RuntimeSQLException(e);
         }
     }
+
+    public static class ContainerScopingTestCase extends AbstractContainerScopingTest
+    {
+        private Container _folderA;
+        private Container _folderB;
+        private User _admin;
+
+        @Before
+        public void setup()
+        {
+            _admin = getAdmin();
+            _folderA = createContainer("A");
+            _folderB = createContainer("B");
+        }
+
+        @Test
+        public void testDeleteRunContainerScoping() throws Exception
+        {
+            // Regression test for NAB-1. NabAssayController.DeleteRunAction resolves a
+            // run via ExperimentService.getExpRun(rowId) from a global rowId and then deletes it.
+            ExpProtocol protocol = ExperimentService.get().ensureSampleDerivationProtocol(_admin);
+            ExpRun run = ExperimentService.get().createExperimentRun(_folderB, "scope-test-run");
+            run.setProtocol(protocol);
+            run.save(_admin);
+            int rowId = run.getRowId();
+
+            ActionURL foreignUrl = new ActionURL(NabAssayController.DeleteRunAction.class, _folderA)
+                    .addParameter("rowId", rowId);
+
+            User deleterAonly = createUserInRole(_folderA, EditorRole.class);
+            assertStatus(HttpServletResponse.SC_NOT_FOUND, post(foreignUrl, deleterAonly));
+            assertNotNull("Foreign-container run must not be deleted", ExperimentService.get().getExpRun(rowId));
+
+            ActionURL ownUrl = new ActionURL(NabAssayController.DeleteRunAction.class, _folderB)
+                    .addParameter("rowId", rowId);
+            assertStatus(HttpServletResponse.SC_FOUND, post(ownUrl, _admin));
+            assertNull("Run should have been deleted from its own container", ExperimentService.get().getExpRun(rowId));
+        }
+
+        @Test
+        public void testDownloadDatafileContainerScoping() throws Exception
+        {
+            // Regression test for NAB-2. NabAssayController.DownloadDatafileAction resolves a run via
+            // ExperimentService.getExpRun(rowId) from a global rowId
+            ExpProtocol protocol = ExperimentService.get().ensureSampleDerivationProtocol(_admin);
+            ExpRun run = ExperimentService.get().createExperimentRun(_folderB, "scope-test-download-run");
+            run.setProtocol(protocol);
+            run.save(_admin);
+            int rowId = run.getRowId();
+
+            User readerAonly = createUserInRole(_folderA, ReaderRole.class);
+            ActionURL foreignUrl = new ActionURL(NabAssayController.DownloadDatafileAction.class, _folderA)
+                    .addParameter("rowId", rowId);
+            MockHttpServletResponse foreignResponse = get(foreignUrl, readerAonly);
+            assertStatus(HttpServletResponse.SC_NOT_FOUND, foreignResponse);
+            assertTrue("Foreign-container download must be rejected by the container check",
+                    foreignResponse.getContentAsString().contains("does not exist"));
+
+            ActionURL ownUrl = new ActionURL(NabAssayController.DownloadDatafileAction.class, _folderB)
+                    .addParameter("rowId", rowId);
+            MockHttpServletResponse ownResponse = get(ownUrl, _admin);
+            assertStatus(HttpServletResponse.SC_NOT_FOUND, ownResponse);
+            assertTrue("Same-container request should advance past the container check to the data handler",
+                    ownResponse.getContentAsString().contains("is not a NAb run"));
+        }
+    }
 }
diff --git a/nab/src/org/labkey/nab/NabModule.java b/nab/src/org/labkey/nab/NabModule.java
index 6f9d220b24..9917fc6697 100644
--- a/nab/src/org/labkey/nab/NabModule.java
+++ b/nab/src/org/labkey/nab/NabModule.java
@@ -122,4 +122,11 @@ public Set<Class> getUnitTests()
     {
         return Set.of(PlateParserTests.class);
     }
+
+    @NotNull
+    @Override
+    public Set<Class> getIntegrationTests()
+    {
+        return Set.of(NabManager.ContainerScopingTestCase.class);
+    }
 }

From f251ba780057434735d4a2674655e390ecef3c45 Mon Sep 17 00:00:00 2001
From: Lum <klum@labkey.com>
Date: Thu, 11 Jun 2026 16:32:52 -0700
Subject: [PATCH 04/11] Container scoping for NAb including automation

---
 .../editscript/EditScriptForm.java            |  1 +
 .../flow/controllers/run/RunController.java   |  4 +
 .../org/labkey/flow/data/FlowProtocol.java    |  1 +
 .../org/labkey/flow/persist/FlowManager.java  | 30 ++------
 .../org/labkey/nab/NabAssayController.java    | 29 ++++++++
 nab/src/org/labkey/nab/NabManager.java        | 74 -------------------
 nab/src/org/labkey/nab/NabModule.java         |  7 --
 7 files changed, 40 insertions(+), 106 deletions(-)

diff --git a/flow/src/org/labkey/flow/controllers/editscript/EditScriptForm.java b/flow/src/org/labkey/flow/controllers/editscript/EditScriptForm.java
index cf9cb49bbd..cde1ea674e 100644
--- a/flow/src/org/labkey/flow/controllers/editscript/EditScriptForm.java
+++ b/flow/src/org/labkey/flow/controllers/editscript/EditScriptForm.java
@@ -97,6 +97,7 @@ public void reset()
             {
                 throw new NotFoundException("scriptId not found: " + scriptIdStr);
             }
+            // GitHub Issue #1892: validate container
             flowObject.checkContainer(getContainer(), getUser(), url);
             _runCount = flowObject.getRunCount();
             step = FlowProtocolStep.fromRequest(getRequest());
diff --git a/flow/src/org/labkey/flow/controllers/run/RunController.java b/flow/src/org/labkey/flow/controllers/run/RunController.java
index d1b2c9090e..7a90149d16 100644
--- a/flow/src/org/labkey/flow/controllers/run/RunController.java
+++ b/flow/src/org/labkey/flow/controllers/run/RunController.java
@@ -232,6 +232,7 @@ public void validate(DownloadRunForm form, BindException errors)
                 errors.reject(ERROR_MSG, "run not found");
                 return;
             }
+            // GitHub Issue #1892: validate container
             _run.checkContainer(getContainer(), getUser(), getActionURL());
 
             FlowWell[] wells = _run.getWells(true);
@@ -465,6 +466,7 @@ else if (form.getSendTo() == ExportAnalysisForm.SendTo.Script)
                     if (run == null)
                         throw new NotFoundException("Flow run not found");
 
+                    // GitHub Issue #1892: validate container
                     run.checkContainer(getContainer(), getUser(), getActionURL());
                     runs.add(run);
                 }
@@ -479,6 +481,7 @@ else if (wellId != null && wellId.length > 0)
                     if (well == null)
                         throw new NotFoundException("Flow well not found");
 
+                    // GitHub Issue #1892: validate container
                     well.checkContainer(getContainer(), getUser(), getActionURL());
                     wells.add(well);
                 }
@@ -944,6 +947,7 @@ public static class DownloadAttachmentAction extends BaseDownloadAction<Attachme
             {
                 throw new NotFoundException();
             }
+            // GitHub Issue #1892: validate container
             run.checkContainer(getContainer(), getUser(), getViewContext().getActionURL());
 
             return new Pair<>(new ExpRunAttachmentParent(run.getExperimentRun()), form.getName());
diff --git a/flow/src/org/labkey/flow/data/FlowProtocol.java b/flow/src/org/labkey/flow/data/FlowProtocol.java
index 7cb03fbac6..c34c860c97 100644
--- a/flow/src/org/labkey/flow/data/FlowProtocol.java
+++ b/flow/src/org/labkey/flow/data/FlowProtocol.java
@@ -161,6 +161,7 @@ static public FlowProtocol fromURL(User user, ViewContext context, HttpServletRe
         if (ret == null)
             return null;
 
+        // GitHub Issue #1892: validate container
         ret.checkContainer(context.getContainer(), user, url);
         if (!ret.getContainer().hasPermission(user, ReadPermission.class))
         {
diff --git a/flow/src/org/labkey/flow/persist/FlowManager.java b/flow/src/org/labkey/flow/persist/FlowManager.java
index a659d9a3f8..d8451d818f 100644
--- a/flow/src/org/labkey/flow/persist/FlowManager.java
+++ b/flow/src/org/labkey/flow/persist/FlowManager.java
@@ -1835,22 +1835,17 @@ public void setup()
         @Test
         public void testScriptContainerScoping() throws Exception
         {
-            // A flow script that lives in folder B.
+            // GitHub Issue #1892: Regression test for FLOW-1.
             FlowScript script = FlowScript.create(_admin, _folderB, "scope-test",
                     "<script xmlns=\"http://www.labkey.org/data/xml/flowScript\"/>");
             int scriptId = script.getScriptId();
 
-            // DownloadAction resolves the script through EditScriptForm; dispatch it against folder A while pointing
-            // scriptId at B's script -- the FLOW-1 attack shape (reaching a script that lives in another folder).
             ActionURL foreignUrl = new ActionURL(ScriptController.DownloadAction.class, _folderA)
                     .addParameter(FlowParam.scriptId.toString(), scriptId);
 
             User readerAonly = createUserInRole(_folderA, ReaderRole.class);
             assertStatus(HttpServletResponse.SC_NOT_FOUND, get(foreignUrl, readerAonly));
 
-            // Redirect branch: a caller who can read both folders is redirected to B (where its own permissions are
-            // re-enforced) instead of being served B's script from A's context. This is the core vulnerability:
-            // without checkContainer() in EditScriptForm.reset() the action streams B's script from folder A (200).
             User readerAreaderB = createUserInRole(_folderA, ReaderRole.class);
             grantRole(readerAreaderB, _folderB, ReaderRole.class);
             MockHttpServletResponse resp = get(foreignUrl, readerAreaderB);
@@ -1868,22 +1863,16 @@ public void testScriptContainerScoping() throws Exception
         @Test
         public void testProtocolContainerScoping() throws Exception
         {
-            // Regression test for FLOW-2. A FlowProtocol is accessed by a global experimentId.
-            // A flow protocol that lives in folder B.
+            // GitHub Issue #1892: Regression test for FLOW-2. A FlowProtocol is accessed by a global experimentId.
             FlowProtocol protocolB = FlowProtocol.ensureForContainer(_admin, _folderB);
             int experimentId = protocolB.getProtocol().getRowId();
 
-            // EditFCSAnalysisFilter is an UpdatePermission action; dispatch it against folder A while pointing
-            // experimentId at B's protocol -- the FLOW-2 attack shape (editor in A reaching a protocol in B).
             ActionURL foreignUrl = new ActionURL(ProtocolController.EditFCSAnalysisFilterAction.class, _folderA)
                     .addParameter(FlowParam.experimentId.toString(), experimentId);
 
             User editorAonly = createUserInRole(_folderA, EditorRole.class);
             assertStatus(HttpServletResponse.SC_NOT_FOUND, get(foreignUrl, editorAonly));
 
-            // Redirect branch: a caller who can edit folder A and read folder B is redirected to B (where its own
-            // permissions are re-enforced) instead of operating on B's protocol from A's context. This is the core
-            // vulnerability: without checkContainer() in fromURL() the action proceeds in folder A (HTTP 200).
             User editorAreaderB = createUserInRole(_folderA, EditorRole.class);
             grantRole(editorAreaderB, _folderB, ReaderRole.class);
             MockHttpServletResponse resp = get(foreignUrl, editorAreaderB);
@@ -1901,7 +1890,7 @@ public void testProtocolContainerScoping() throws Exception
         @Test
         public void testExportAnalysisContainerScoping() throws Exception
         {
-            // Regression test for FLOW-3 RunController.ExportAnalysis resolves
+            // GitHub Issue #1892: Regression test for FLOW-3. RunController.ExportAnalysis resolves
             // URL supplied runId/wellId via the global FlowRun.
             ExpData data = ExperimentService.get().createData(_folderB, FlowDataType.FCSFile, "scope-test-well");
             URI dataFileURI = new URI("file:///attributes.flowdata.xml");
@@ -1912,18 +1901,12 @@ public void testExportAnalysisContainerScoping() throws Exception
             AttributeSetHelper.save(attrs, _admin, data);
             int wellId = data.getRowId();
 
-            // Point wellId at B's well while dispatching the export against folder A -- the FLOW-3 attack shape.
             ActionURL foreignUrl = new ActionURL(RunController.ExportAnalysis.class, _folderA)
                     .addParameter(FlowParam.wellId.toString(), wellId);
 
-            // Deny branch: a caller who can read folder A but has no rights in folder B must not learn B's well exists,
-            // nor export it -> 404.
             User readerAonly = createUserInRole(_folderA, ReaderRole.class);
             assertStatus(HttpServletResponse.SC_NOT_FOUND, post(foreignUrl, readerAonly));
 
-            // Redirect branch: a caller who can read both folders is redirected to B (where its own permissions are
-            // re-enforced) instead of having B's well exported from A's context. This is the core vulnerability: without
-            // checkContainer() in validateCommand() the action exports B's well from folder A.
             User readerAreaderB = createUserInRole(_folderA, ReaderRole.class);
             grantRole(readerAreaderB, _folderB, ReaderRole.class);
             MockHttpServletResponse resp = post(foreignUrl, readerAreaderB);
@@ -1940,8 +1923,8 @@ public void testExportAnalysisContainerScoping() throws Exception
         @Test
         public void testRunDownloadContainerScoping() throws Exception
         {
-            // Regression test for FLOW-4. RunController.DownloadAction (and
-            // DownloadAttachmentAction) resolve a run via RunForm.getRun() -> FlowRun.fromRunId() from a global runId
+            // GitHub Issue #1892: Regression test for FLOW-4. RunController.DownloadAction (and
+            // DownloadAttachmentAction) resolve a run via RunForm.getRun() -> FlowRun.fromRunId() from a global runId.
             FlowProtocol protocolB = FlowProtocol.ensureForContainer(_admin, _folderB);
             ExpRun expRun = ExperimentService.get().createExperimentRun(_folderB, "scope-test-run");
             expRun.setProtocol(protocolB.getProtocol());
@@ -1954,9 +1937,6 @@ public void testRunDownloadContainerScoping() throws Exception
             User readerAonly = createUserInRole(_folderA, ReaderRole.class);
             assertStatus(HttpServletResponse.SC_NOT_FOUND, get(foreignUrl, readerAonly));
 
-            // Redirect branch: a caller who can read both folders is redirected to B (where its own permissions are
-            // re-enforced) instead of having B's run streamed from A's context. This is the core vulnerability: without
-            // checkContainer() in DownloadAction.validate() the action streams B's run from folder A.
             User readerAreaderB = createUserInRole(_folderA, ReaderRole.class);
             grantRole(readerAreaderB, _folderB, ReaderRole.class);
             MockHttpServletResponse resp = get(foreignUrl, readerAreaderB);
diff --git a/nab/src/org/labkey/nab/NabAssayController.java b/nab/src/org/labkey/nab/NabAssayController.java
index 44a971cd5f..ecef86455e 100644
--- a/nab/src/org/labkey/nab/NabAssayController.java
+++ b/nab/src/org/labkey/nab/NabAssayController.java
@@ -401,9 +401,33 @@ public ActionURL getGraphRenderURL()
         }
     }
 
+    private static void _verifyObjectIdsReadable(User user, int[] ids)
+    {
+        if (ids == null)
+            return;
+
+        // GitHub Issue #1892: (NAB-9) The object ids come straight from the request and getDilutionSummaries() resolves them to runs
+        // via a global, cross-container lookup.
+        for (int id : ids)
+        {
+            ExpRun run = NabManager.get().getNAbRunByObjectId(id);
+            if (run == null)
+                throw new NotFoundException("One or more requested specimens do not exist.");
+            if (run.getContainer().hasPermission(user, ReadPermission.class))
+                continue;
+            throw new NotFoundException("One or more requested specimens do not exist.");
+        }
+    }
+
     @RequiresPermission(ReadPermission.class)
     public static class NabGraphSelectedAction extends GraphSelectedAction<GraphSelectedForm>
     {
+        @Override
+        protected void verifyObjectIdsReadable(int[] ids)
+        {
+            _verifyObjectIdsReadable(getUser(), ids);
+        }
+
         @Override
         protected GraphSelectedBean createSelectionBean(ViewContext context, ExpProtocol protocol, int[] cutoffs, int[] dataObjectIds, String caption, String title)
         {
@@ -493,6 +517,11 @@ public URLHelper getSuccessURL(DeleteRunForm form)
     @ContextualRoles(RunDatasetContextualRoles.class)
     public static class NabMultiGraphAction extends MultiGraphAction<GraphSelectedForm>
     {
+        @Override
+        protected void verifyObjectIdsReadable(int[] ids)
+        {
+            _verifyObjectIdsReadable(getUser(), ids);
+        }
     }
 
     @RequiresPermission(ReadPermission.class)
diff --git a/nab/src/org/labkey/nab/NabManager.java b/nab/src/org/labkey/nab/NabManager.java
index e2bb45b818..7e57e87dd9 100644
--- a/nab/src/org/labkey/nab/NabManager.java
+++ b/nab/src/org/labkey/nab/NabManager.java
@@ -16,11 +16,8 @@
 
 package org.labkey.nab;
 
-import jakarta.servlet.http.HttpServletResponse;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.junit.Before;
-import org.junit.Test;
 import org.labkey.api.assay.AssayService;
 import org.labkey.api.data.ColumnInfo;
 import org.labkey.api.data.Container;
@@ -41,10 +38,6 @@
 import org.labkey.api.query.FieldKey;
 import org.labkey.api.query.QueryService;
 import org.labkey.api.security.User;
-import org.labkey.api.security.permissions.AbstractContainerScopingTest;
-import org.labkey.api.security.roles.EditorRole;
-import org.labkey.api.security.roles.ReaderRole;
-import org.labkey.api.view.ActionURL;
 import org.labkey.api.study.Dataset;
 import org.labkey.api.study.Study;
 import org.labkey.api.study.StudyService;
@@ -52,7 +45,6 @@
 import org.labkey.api.util.Pair;
 import org.labkey.nab.query.NabProtocolSchema;
 import org.labkey.nab.query.NabRunDataTable;
-import org.springframework.mock.web.MockHttpServletResponse;
 
 import java.sql.SQLException;
 import java.util.Collection;
@@ -214,70 +206,4 @@ public void getDataPropertiesFromNabRunData(NabRunDataTable nabRunDataTable, Str
             throw new RuntimeSQLException(e);
         }
     }
-
-    public static class ContainerScopingTestCase extends AbstractContainerScopingTest
-    {
-        private Container _folderA;
-        private Container _folderB;
-        private User _admin;
-
-        @Before
-        public void setup()
-        {
-            _admin = getAdmin();
-            _folderA = createContainer("A");
-            _folderB = createContainer("B");
-        }
-
-        @Test
-        public void testDeleteRunContainerScoping() throws Exception
-        {
-            // Regression test for NAB-1. NabAssayController.DeleteRunAction resolves a
-            // run via ExperimentService.getExpRun(rowId) from a global rowId and then deletes it.
-            ExpProtocol protocol = ExperimentService.get().ensureSampleDerivationProtocol(_admin);
-            ExpRun run = ExperimentService.get().createExperimentRun(_folderB, "scope-test-run");
-            run.setProtocol(protocol);
-            run.save(_admin);
-            int rowId = run.getRowId();
-
-            ActionURL foreignUrl = new ActionURL(NabAssayController.DeleteRunAction.class, _folderA)
-                    .addParameter("rowId", rowId);
-
-            User deleterAonly = createUserInRole(_folderA, EditorRole.class);
-            assertStatus(HttpServletResponse.SC_NOT_FOUND, post(foreignUrl, deleterAonly));
-            assertNotNull("Foreign-container run must not be deleted", ExperimentService.get().getExpRun(rowId));
-
-            ActionURL ownUrl = new ActionURL(NabAssayController.DeleteRunAction.class, _folderB)
-                    .addParameter("rowId", rowId);
-            assertStatus(HttpServletResponse.SC_FOUND, post(ownUrl, _admin));
-            assertNull("Run should have been deleted from its own container", ExperimentService.get().getExpRun(rowId));
-        }
-
-        @Test
-        public void testDownloadDatafileContainerScoping() throws Exception
-        {
-            // Regression test for NAB-2. NabAssayController.DownloadDatafileAction resolves a run via
-            // ExperimentService.getExpRun(rowId) from a global rowId
-            ExpProtocol protocol = ExperimentService.get().ensureSampleDerivationProtocol(_admin);
-            ExpRun run = ExperimentService.get().createExperimentRun(_folderB, "scope-test-download-run");
-            run.setProtocol(protocol);
-            run.save(_admin);
-            int rowId = run.getRowId();
-
-            User readerAonly = createUserInRole(_folderA, ReaderRole.class);
-            ActionURL foreignUrl = new ActionURL(NabAssayController.DownloadDatafileAction.class, _folderA)
-                    .addParameter("rowId", rowId);
-            MockHttpServletResponse foreignResponse = get(foreignUrl, readerAonly);
-            assertStatus(HttpServletResponse.SC_NOT_FOUND, foreignResponse);
-            assertTrue("Foreign-container download must be rejected by the container check",
-                    foreignResponse.getContentAsString().contains("does not exist"));
-
-            ActionURL ownUrl = new ActionURL(NabAssayController.DownloadDatafileAction.class, _folderB)
-                    .addParameter("rowId", rowId);
-            MockHttpServletResponse ownResponse = get(ownUrl, _admin);
-            assertStatus(HttpServletResponse.SC_NOT_FOUND, ownResponse);
-            assertTrue("Same-container request should advance past the container check to the data handler",
-                    ownResponse.getContentAsString().contains("is not a NAb run"));
-        }
-    }
 }
diff --git a/nab/src/org/labkey/nab/NabModule.java b/nab/src/org/labkey/nab/NabModule.java
index 9917fc6697..6f9d220b24 100644
--- a/nab/src/org/labkey/nab/NabModule.java
+++ b/nab/src/org/labkey/nab/NabModule.java
@@ -122,11 +122,4 @@ public Set<Class> getUnitTests()
     {
         return Set.of(PlateParserTests.class);
     }
-
-    @NotNull
-    @Override
-    public Set<Class> getIntegrationTests()
-    {
-        return Set.of(NabManager.ContainerScopingTestCase.class);
-    }
 }

From 489bfc61afba5d5d7c16f212241fdbb7b19d0f49 Mon Sep 17 00:00:00 2001
From: lum <klum@labkey.com>
Date: Fri, 12 Jun 2026 10:34:44 -0700
Subject: [PATCH 05/11] Linked to study support for contextual roles

---
 nab/src/org/labkey/nab/NabAssayController.java | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/nab/src/org/labkey/nab/NabAssayController.java b/nab/src/org/labkey/nab/NabAssayController.java
index ecef86455e..969c968d33 100644
--- a/nab/src/org/labkey/nab/NabAssayController.java
+++ b/nab/src/org/labkey/nab/NabAssayController.java
@@ -50,6 +50,7 @@
 import org.labkey.api.assay.dilution.DilutionDataHandler;
 import org.labkey.api.assay.dilution.DilutionDataRow;
 import org.labkey.api.assay.dilution.DilutionManager;
+import org.labkey.api.assay.dilution.query.DilutionProviderSchema;
 import org.labkey.api.assay.dilution.DilutionSummary;
 import org.labkey.api.assay.dilution.WellDataRow;
 import org.labkey.api.assay.nab.Luc5Assay;
@@ -107,6 +108,7 @@
 import org.labkey.api.security.permissions.DeletePermission;
 import org.labkey.api.security.permissions.ReadPermission;
 import org.labkey.api.security.roles.ReaderRole;
+import org.labkey.api.security.roles.Role;
 import org.labkey.api.study.assay.RunDatasetContextualRoles;
 import org.labkey.api.util.HtmlString;
 import org.labkey.api.util.JsonUtil;
@@ -413,8 +415,16 @@ private static void _verifyObjectIdsReadable(User user, int[] ids)
             ExpRun run = NabManager.get().getNAbRunByObjectId(id);
             if (run == null)
                 throw new NotFoundException("One or more requested specimens do not exist.");
-            if (run.getContainer().hasPermission(user, ReadPermission.class))
+
+            Container runContainer = run.getContainer();
+            if (runContainer.hasPermission(user, ReadPermission.class))
+                continue;
+
+            // contextual roles from assay linked to study
+            Set<Role> contextualRoles = RunDatasetContextualRoles.getContextualRolesForRun(runContainer, user, run, FieldKey.fromParts(DilutionProviderSchema.RUN_ID_COLUMN_NAME));
+            if (runContainer.hasPermission(user, ReadPermission.class, contextualRoles))
                 continue;
+
             throw new NotFoundException("One or more requested specimens do not exist.");
         }
     }

From 844321bead901f1f8bdc6805c9c717c9c89733d0 Mon Sep 17 00:00:00 2001
From: labkey-nicka <nickk@labkey.com>
Date: Fri, 12 Jun 2026 10:48:18 -0700
Subject: [PATCH 06/11] Container scope

---
 flow/src/org/labkey/flow/FlowModule.java      |   4 +-
 .../AnalysisScriptController.java             |  73 +++++++++-
 .../flow/controllers/well/WellController.java | 133 ++++++++++++++++--
 3 files changed, 199 insertions(+), 11 deletions(-)

diff --git a/flow/src/org/labkey/flow/FlowModule.java b/flow/src/org/labkey/flow/FlowModule.java
index 64ad66dc75..211007e1f1 100644
--- a/flow/src/org/labkey/flow/FlowModule.java
+++ b/flow/src/org/labkey/flow/FlowModule.java
@@ -343,7 +343,9 @@ public Set<Class> getIntegrationTests()
             FlowProtocol.TestCase.class,
             PersistTests.class,
             FlowManager.TestCase.class,
-            FlowManager.ContainerScopingTestCase.class
+            FlowManager.ContainerScopingTestCase.class,
+            WellController.WellContainerScopingTestCase.class,
+            AnalysisScriptController.AnalysisScriptContainerScopingTestCase.class
         );
     }
 
diff --git a/flow/src/org/labkey/flow/controllers/executescript/AnalysisScriptController.java b/flow/src/org/labkey/flow/controllers/executescript/AnalysisScriptController.java
index 8089be37c2..563620e615 100644
--- a/flow/src/org/labkey/flow/controllers/executescript/AnalysisScriptController.java
+++ b/flow/src/org/labkey/flow/controllers/executescript/AnalysisScriptController.java
@@ -20,8 +20,11 @@
 import org.apache.commons.io.filefilter.IOFileFilter;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
+import org.fhcrc.cpas.flow.script.xml.ScriptDocument;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
+import org.junit.Before;
+import org.junit.Test;
 import org.labkey.api.action.FormViewAction;
 import org.labkey.api.action.SimpleRedirectAction;
 import org.labkey.api.action.SimpleViewAction;
@@ -36,11 +39,16 @@
 import org.labkey.api.pipeline.PipelineUrls;
 import org.labkey.api.pipeline.browse.PipelinePathForm;
 import org.labkey.api.security.RequiresPermission;
+import org.labkey.api.security.User;
+import org.labkey.api.security.permissions.AbstractContainerScopingTest;
 import org.labkey.api.security.permissions.InsertPermission;
 import org.labkey.api.security.permissions.ReadPermission;
 import org.labkey.api.security.permissions.UpdatePermission;
+import org.labkey.api.security.roles.EditorRole;
+import org.labkey.api.security.roles.ReaderRole;
 import org.labkey.api.study.Study;
 import org.labkey.api.study.StudyService;
+import org.labkey.api.test.TestWhen;
 import org.labkey.api.usageMetrics.SimpleMetricsService;
 import org.labkey.api.util.FileUtil;
 import org.labkey.api.util.PageFlowUtil;
@@ -54,6 +62,7 @@
 import org.labkey.api.view.HttpView;
 import org.labkey.api.view.JspView;
 import org.labkey.api.view.NavTree;
+import org.labkey.api.view.NotFoundException;
 import org.labkey.api.view.RedirectException;
 import org.labkey.api.view.ViewBackgroundInfo;
 import org.labkey.api.view.template.PageConfig;
@@ -86,11 +95,14 @@
 import org.labkey.flow.util.SampleUtil;
 import org.labkey.vfs.FileLike;
 import org.labkey.vfs.FileSystemLike;
+import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.validation.BindException;
 import org.springframework.validation.Errors;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.ModelAndView;
 
+import jakarta.servlet.http.HttpServletResponse;
+
 import java.io.File;
 import java.io.IOException;
 import java.net.URI;
@@ -185,16 +197,20 @@ protected ModelAndView analyzeRuns(ChooseRunsToAnalyzeForm form, int[] runIds, S
             DataRegionSelection.clearAll(getViewContext());
 
             FlowExperiment experiment = FlowExperiment.fromLSID(experimentLSID);
+            checkContainer(experiment);
             String experimentName = form.ff_analysisName;
             if (experiment != null)
             {
                 experimentName = experiment.getName();
             }
             FlowScript analysis = form.getProtocol();
+            checkContainer(analysis);
             AnalyzeJob job = new AnalyzeJob(getViewBackgroundInfo(), experimentName, experimentLSID, FlowProtocol.ensureForContainer(getUser(), getContainer()), analysis, form.getProtocolStep(), runIds, PipelineService.get().findPipelineRoot(getContainer()));
             if (form.getCompensationMatrixId() != 0)
             {
-                job.setCompensationMatrix(FlowCompensationMatrix.fromCompId(form.getCompensationMatrixId()));
+                FlowCompensationMatrix comp = FlowCompensationMatrix.fromCompId(form.getCompensationMatrixId());
+                checkContainer(comp);
+                job.setCompensationMatrix(comp);
             }
             job.setCompensationExperimentLSID(form.getCompensationExperimentLSID());
             return HttpView.redirect(executeScript(job));
@@ -216,6 +232,7 @@ public class ChooseRunsToAnalyzeAction extends BaseAnalyzeRunsAction
         public ModelAndView getView(ChooseRunsToAnalyzeForm form, BindException errors)
         {
             script = form.getProtocol();
+            checkContainer(script);
             return chooseRunsToAnalyze(form, errors);
         }
     }
@@ -227,12 +244,19 @@ public class AnalyzeSelectedRunsAction extends BaseAnalyzeRunsAction
         public ModelAndView getView(ChooseRunsToAnalyzeForm form, BindException errors) throws Exception
         {
             script = form.getProtocol();
+            checkContainer(script);
             int[] runIds = form.getSelectedRunIds();
             if (runIds.length == 0)
             {
                 errors.reject(ERROR_MSG, "Please select at least one run to analyze.");
                 return chooseRunsToAnalyze(form, errors);
             }
+            for (int runId : runIds)
+            {
+                FlowRun run = FlowRun.fromRunId(runId);
+                if (run == null || !run.getContainer().hasPermission(getUser(), ReadPermission.class))
+                    throw new NotFoundException("Run not found: " + runId);
+            }
             String experimentLSID = form.getAnalysisLSID();
             if (experimentLSID == null)
             {
@@ -1495,4 +1519,51 @@ public void addNavTrail(NavTree root)
             root.addChild(display);
         }
     }
+
+    @TestWhen(TestWhen.When.BVT)
+    public static class AnalysisScriptContainerScopingTestCase extends AbstractContainerScopingTest
+    {
+        private User _admin;
+        private Container _folderA;
+        private Container _folderB;
+        private int _scriptIdB;
+
+        @Before
+        public void setUp() throws Exception
+        {
+            _admin = getAdmin();
+            _folderA = createContainer("A");
+            _folderB = createContainer("B");
+
+            // Pre-create the flow protocol/steps in B so the valid-case ChooseRunsToAnalyzeForm.populate() finds them.
+            FlowProtocol.ensureForContainer(_admin, _folderB);
+
+            // Create a flow analysis script with a single analysis step so populate() has a usable protocol step.
+            ScriptDocument doc = ScriptDocument.Factory.newInstance();
+            doc.addNewScript().addNewAnalysis();
+            _scriptIdB = FlowScript.create(_admin, _folderB, getClass().getSimpleName() + "-" + "scriptB", doc.toString()).getScriptId();
+        }
+
+        // ChooseRunsToAnalyzeForm resolves the analysis script by global rowId; a foreign script must be scoped.
+        @Test
+        public void testAnalysisScriptContainerScoping() throws Exception
+        {
+            ActionURL foreignUrl = new ActionURL(ChooseRunsToAnalyzeAction.class, _folderA).addParameter("scriptId", _scriptIdB);
+
+            User folderAEditor = createUserInRole(_folderA, EditorRole.class);
+            assertStatus(HttpServletResponse.SC_NOT_FOUND, get(foreignUrl, folderAEditor));
+
+            User folderBEditor = createUserInRole(_folderA, EditorRole.class);
+            grantRole(folderBEditor, _folderB, ReaderRole.class);
+            MockHttpServletResponse resp = get(foreignUrl, folderBEditor);
+            assertStatus(HttpServletResponse.SC_FOUND, resp);
+            String location = resp.getRedirectedUrl();
+            assertNotNull("Redirect must have a Location", location);
+            assertTrue("Redirect should target the script's own container, was: " + location, location.contains(_folderB.getPath()));
+
+            // valid case: the script in its own container is accepted (renders the choose-runs wizard).
+            assertStatus(HttpServletResponse.SC_OK,
+                    get(new ActionURL(ChooseRunsToAnalyzeAction.class, _folderB).addParameter("scriptId", _scriptIdB), _admin));
+        }
+    }
 }
diff --git a/flow/src/org/labkey/flow/controllers/well/WellController.java b/flow/src/org/labkey/flow/controllers/well/WellController.java
index a76cb82093..fce017b127 100644
--- a/flow/src/org/labkey/flow/controllers/well/WellController.java
+++ b/flow/src/org/labkey/flow/controllers/well/WellController.java
@@ -20,16 +20,22 @@
 import org.apache.commons.lang3.time.DateUtils;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
+import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
+import org.junit.Before;
+import org.junit.Test;
 import org.labkey.api.action.FormViewAction;
 import org.labkey.api.action.MutatingApiAction;
 import org.labkey.api.action.ReturnUrlForm;
 import org.labkey.api.action.SimpleErrorView;
 import org.labkey.api.action.SimpleViewAction;
+import org.labkey.api.data.Container;
 import org.labkey.api.data.DataRegionSelection;
 import org.labkey.api.data.SQLFragment;
 import org.labkey.api.data.SqlExecutor;
 import org.labkey.api.data.SqlSelector;
+import org.labkey.api.exp.api.ExpData;
+import org.labkey.api.exp.api.ExperimentService;
 import org.labkey.api.jsp.FormPage;
 import org.labkey.api.jsp.JspBase;
 import org.labkey.api.pipeline.PipeRoot;
@@ -38,11 +44,16 @@
 import org.labkey.api.security.ContextualRoles;
 import org.labkey.api.security.RequiresNoPermission;
 import org.labkey.api.security.RequiresPermission;
+import org.labkey.api.security.User;
+import org.labkey.api.security.permissions.AbstractContainerScopingTest;
 import org.labkey.api.security.permissions.AdminPermission;
 import org.labkey.api.security.permissions.ReadPermission;
 import org.labkey.api.security.permissions.UpdatePermission;
+import org.labkey.api.security.roles.ReaderRole;
+import org.labkey.api.test.TestWhen;
 import org.labkey.api.util.ExceptionUtil;
 import org.labkey.api.util.HeartBeat;
+import org.labkey.api.util.JunitUtil;
 import org.labkey.api.util.PageFlowUtil;
 import org.labkey.api.util.Pair;
 import org.labkey.api.util.URIUtil;
@@ -52,6 +63,7 @@
 import org.labkey.api.view.JspView;
 import org.labkey.api.view.NavTree;
 import org.labkey.api.view.NotFoundException;
+import org.labkey.api.view.ViewBackgroundInfo;
 import org.labkey.api.view.ViewContext;
 import org.labkey.flow.analysis.model.FCSHeader;
 import org.labkey.flow.analysis.web.FCSAnalyzer;
@@ -63,16 +75,23 @@
 import org.labkey.flow.controllers.FlowParam;
 import org.labkey.flow.data.FlowCompensationMatrix;
 import org.labkey.flow.data.FlowDataObject;
+import org.labkey.flow.data.FlowDataType;
+import org.labkey.flow.data.FlowFCSFile;
+import org.labkey.flow.data.FlowProtocol;
 import org.labkey.flow.data.FlowProtocolStep;
 import org.labkey.flow.data.FlowRun;
 import org.labkey.flow.data.FlowWell;
 import org.labkey.flow.persist.AttributeCache;
+import org.labkey.flow.persist.AttributeSet;
+import org.labkey.flow.persist.AttributeSetHelper;
 import org.labkey.flow.persist.FlowManager;
 import org.labkey.flow.persist.ObjectType;
 import org.labkey.flow.query.FlowTableType;
 import org.labkey.flow.script.FlowAnalyzer;
+import org.labkey.flow.script.KeywordsJob;
 import org.labkey.flow.util.KeywordUtil;
 import org.labkey.flow.view.GraphColumn;
+import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.validation.BindException;
 import org.springframework.validation.Errors;
 import org.springframework.web.servlet.ModelAndView;
@@ -372,6 +391,19 @@ public void addNavTrail(NavTree root)
         }
     }
 
+    private @NotNull FlowWell checkContainer(ChooseGraphForm form)
+    {
+        FlowWell well = form.getWell();
+        if (well == null)
+            throw new NotFoundException("Well not found");
+
+        checkContainer(well);
+        checkContainer(form.getScript());
+        checkContainer(form.getCompensationMatrix());
+
+        return well;
+    }
+
     @RequiresPermission(ReadPermission.class)
     public class ChooseGraphAction extends SimpleViewAction<ChooseGraphForm>
     {
@@ -380,11 +412,7 @@ public class ChooseGraphAction extends SimpleViewAction<ChooseGraphForm>
         @Override
         public ModelAndView getView(ChooseGraphForm form, BindException errors)
         {
-            _well = form.getWell();
-            if (null == _well)
-            {
-                throw new NotFoundException();
-            }
+            _well = checkContainer(form);
 
             URI fileURI = _well.getFCSURI();
             if (fileURI == null)
@@ -497,10 +525,7 @@ public class GenerateGraphAction extends SimpleViewAction<ChooseGraphForm>
         @Override
         public ModelAndView getView(ChooseGraphForm form, BindException errors) throws IOException
         {
-            FlowWell well = form.getWell();
-            if (well == null)
-                throw new NotFoundException("Well not found");
-
+            checkContainer(form);
             String graph = getParam(FlowParam.graph);
             if (graph == null)
                 throw new NotFoundException("Graph spec required");
@@ -886,4 +911,94 @@ public Object execute(Object o, BindException errors)
             return null;
         }
     }
+
+    @TestWhen(TestWhen.When.BVT)
+    public static class WellContainerScopingTestCase extends AbstractContainerScopingTest
+    {
+        private User _admin;
+        private Container _folderA;
+        private Container _folderB;
+        private int _wellIdA;
+        private int _scriptIdB;
+        private int _compIdB;
+
+        @Before
+        public void setUp() throws Exception
+        {
+            _admin = getAdmin();
+            _folderA = createContainer("A");
+            _folderB = createContainer("B");
+
+            _wellIdA = createFlowDataId(_folderA, FlowDataType.FCSFile, "wellA");
+            _scriptIdB = createFlowDataId(_folderB, FlowDataType.Script, "scriptB");
+            _compIdB = createFlowDataId(_folderB, FlowDataType.CompensationMatrix, "compB");
+        }
+
+        private int createFlowDataId(Container c, FlowDataType type, String name) throws Exception
+        {
+            URI uri = new URI("file:///" + getClass().getSimpleName() + "-" + name + ".flowdata.xml");
+            ExpData data = ExperimentService.get().createData(c, type, getClass().getSimpleName() + "-" + name);
+            data.setDataFileURI(uri);
+            data.save(_admin);
+            // fromWellId/fromCompId resolve via FlowDataObject.fromData(), which returns null unless the data has an
+            // AttrObject (these FlowDataTypes set requireAttrObject). Attach a minimal one so the object resolves.
+            AttributeSetHelper.save(new AttributeSet(type.getObjectType(), uri), _admin, data);
+            return data.getRowId();
+        }
+
+        // A foreign object must be 404 for a caller with no rights to its container, and a 302 redirect to that
+        // container for a caller who can read it.
+        private void assertForeignRejected(ActionURL foreignUrl) throws Exception
+        {
+            User readerAonly = createUserInRole(_folderA, ReaderRole.class);
+            assertStatus(HttpServletResponse.SC_NOT_FOUND, get(foreignUrl, readerAonly));
+
+            User readerAreaderB = createUserInRole(_folderA, ReaderRole.class);
+            grantRole(readerAreaderB, _folderB, ReaderRole.class);
+            MockHttpServletResponse resp = get(foreignUrl, readerAreaderB);
+            assertStatus(HttpServletResponse.SC_FOUND, resp);
+            String location = resp.getRedirectedUrl();
+            assertNotNull("Redirect must have a Location", location);
+            assertTrue("Redirect should target the object's own container, was: " + location, location.contains(_folderB.getPath()));
+        }
+
+        // ChooseGraphForm.getWell() resolves the well by global rowId. The valid case imports a legitimate run, so the
+        // well is backed by a readable FCS file, and the graph actually renders.
+        @Test
+        public void testWellContainerScoping() throws Exception
+        {
+            int foreignWellId = createFlowDataId(_folderB, FlowDataType.FCSFile, "wellB");
+            assertForeignRejected(new ActionURL(GenerateGraphAction.class, _folderA).addParameter("wellId", foreignWellId));
+
+            // valid case: import a real run into B, then render a graph from its well in its own container
+            FlowProtocol protocol = FlowProtocol.ensureForContainer(_admin, _folderB);
+            PipeRoot root = PipelineService.get().findPipelineRoot(_folderB);
+            ViewBackgroundInfo info = new ViewBackgroundInfo(_folderB, _admin, null);
+            File dir = JunitUtil.getSampleData(null, "flow/flowjoquery/microFCS");
+            FlowFCSFile realWell = new KeywordsJob(info, protocol, List.of(dir), null, root).go().get(0).getFCSFiles()[0];
+
+            // Build a graph spec from two of the well's real FCS parameter names.
+            List<String> params = new ArrayList<>(FlowAnalyzer.getParameters(realWell, null).keySet());
+            String graph = "(" + params.get(0) + ":" + params.get(1) + ")";
+            ActionURL ownUrl = new ActionURL(GenerateGraphAction.class, _folderB)
+                    .addParameter("wellId", realWell.getWellId()).addParameter("graph", graph);
+            assertStatus(HttpServletResponse.SC_OK, get(ownUrl, _admin));
+        }
+
+        // ChooseGraphForm.getScript() resolves an analysis script by global rowId; a foreign script must be scoped.
+        @Test
+        public void testScriptContainerScoping() throws Exception
+        {
+            assertForeignRejected(new ActionURL(GenerateGraphAction.class, _folderA)
+                    .addParameter("wellId", _wellIdA).addParameter("scriptId", _scriptIdB));
+        }
+
+        // ChooseGraphForm.getCompensationMatrix() resolves a comp matrix by global rowId; a foreign one must be scoped.
+        @Test
+        public void testCompensationMatrixContainerScoping() throws Exception
+        {
+            assertForeignRejected(new ActionURL(GenerateGraphAction.class, _folderA)
+                    .addParameter("wellId", _wellIdA).addParameter("compId", _compIdB));
+        }
+    }
 }

From 36776b69e66fd961ad279bf7bae82a2541627110 Mon Sep 17 00:00:00 2001
From: cnathe <cnathe@labkey.com>
Date: Fri, 12 Jun 2026 13:27:04 -0500
Subject: [PATCH 07/11] ExperimentService getExpData() helper with container
 check

---
 nab/src/org/labkey/nab/NabAssayController.java | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/nab/src/org/labkey/nab/NabAssayController.java b/nab/src/org/labkey/nab/NabAssayController.java
index 969c968d33..2e1bcbb058 100644
--- a/nab/src/org/labkey/nab/NabAssayController.java
+++ b/nab/src/org/labkey/nab/NabAssayController.java
@@ -231,16 +231,13 @@ public ModelAndView getView(RenderAssayForm form, BindException errors) throws E
             {
                 throw new NotFoundException("No run specified");
             }
-            ExpRun run = ExperimentService.get().getExpRun(form.getRowId());
+            // GitHub Kanban #1892: getExpRun() resolves by global rowId; ensure the run belongs to the current container
+            ExpRun run = ExperimentService.get().getExpRun(form.getRowId(), getContainer());
             if (run == null)
             {
                 throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
             }
 
-            // GitHub Issue #1892: getExpRun() resolves by global rowId; ensure the run belongs to the current container
-            if (!run.getContainer().equals(getContainer()))
-                throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
-
             File file = getDataHandler(run).getDataFile(run);
             if (file == null)
             {
@@ -408,7 +405,7 @@ private static void _verifyObjectIdsReadable(User user, int[] ids)
         if (ids == null)
             return;
 
-        // GitHub Issue #1892: (NAB-9) The object ids come straight from the request and getDilutionSummaries() resolves them to runs
+        // GitHub Kanban #1892: (NAB-9) The object ids come straight from the request and getDilutionSummaries() resolves them to runs
         // via a global, cross-container lookup.
         for (int id : ids)
         {
@@ -484,14 +481,11 @@ public void validateCommand(DeleteRunForm form, Errors errors)
             {
                 throw new NotFoundException("No run specified");
             }
-            _run = ExperimentService.get().getExpRun(form.getRowId());
+            // GitHub Kanban #1892: getExpRun() resolves by global rowId; ensure the run belongs to the current container
+            _run = ExperimentService.get().getExpRun(form.getRowId(), getContainer());
             if (_run == null)
                 throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
 
-            // GitHub Issue #1892: getExpRun() resolves by global rowId; ensure the run belongs to the current container
-            if (!_run.getContainer().equals(getContainer()))
-                throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
-
             if (form.isReupload())
             {
                 _file = getDataHandler(_run).getDataFile(_run);

From 89099de8413415d8db7db34e1bf4c3e693d65d35 Mon Sep 17 00:00:00 2001
From: cnathe <cnathe@labkey.com>
Date: Fri, 12 Jun 2026 13:29:06 -0500
Subject: [PATCH 08/11] Nab action container scoping

---
 nab/src/org/labkey/nab/NabAssayController.java | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/nab/src/org/labkey/nab/NabAssayController.java b/nab/src/org/labkey/nab/NabAssayController.java
index 2e1bcbb058..00b0612c5c 100644
--- a/nab/src/org/labkey/nab/NabAssayController.java
+++ b/nab/src/org/labkey/nab/NabAssayController.java
@@ -837,7 +837,8 @@ public ModelAndView getView(NabQCForm form, BindException errors)
             if (!getContainer().hasPermission(getUser(), AdminPermission.class))
                 form.setEdit(false);
 
-            ExpRun run = ExperimentService.get().getExpRun(form.getRowId());
+            // GitHub Kanban #1892: Resolve the run scoped to the current container
+            ExpRun run = ExperimentService.get().getExpRun(form.getRowId(), getContainer());
             if (run == null)
             {
                 throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
@@ -879,7 +880,8 @@ public class GetQCControlInfoAction extends ReadOnlyApiAction<NabQCForm>
         public ApiResponse execute(NabQCForm form, BindException errors) throws Exception
         {
             ApiSimpleResponse response = new ApiSimpleResponse();
-            ExpRun run = ExperimentService.get().getExpRun(form.getRowId());
+            // GitHub Kanban #1892: Resolve the run scoped to the current container
+            ExpRun run = ExperimentService.get().getExpRun(form.getRowId(), getContainer());
             if (run == null)
             {
                 throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
@@ -1078,7 +1080,8 @@ public class SaveQCControlInfoAction extends MutatingApiAction<QCControlInfo>
         @Override
         public void validateForm(QCControlInfo form, Errors errors)
         {
-            _run = ExperimentService.get().getExpRun(form.getRunId());
+            // GitHub Kanban #1892: Resolve the run scoped to the current container
+            _run = ExperimentService.get().getExpRun(form.getRunId(), getContainer());
             if (_run == null)
             {
                 errors.reject(ERROR_MSG, "NAb Run " + form.getRunId() + " does not exist.");
@@ -1306,7 +1309,8 @@ public static class GetExcludedWellsAction extends ReadOnlyApiAction<RenderAssay
         public ApiResponse execute(RenderAssayBean form, BindException errors)
         {
             ApiSimpleResponse response = new ApiSimpleResponse();
-            ExpRun run = ExperimentService.get().getExpRun(form.getRowId());
+            // GitHub Kanban #1892: Resolve the run scoped to the current container
+            ExpRun run = ExperimentService.get().getExpRun(form.getRowId(), getContainer());
             if (run != null)
             {
                 List<WellExclusion> exclusions = new ArrayList<>();
@@ -1381,7 +1385,7 @@ public ApiResponse execute(RenderAssayBean form, BindException errors)
             }
             else
             {
-                errors.reject(ERROR_MSG, "NAb Run " + form.getRunId() + " does not exist.");
+                errors.reject(ERROR_MSG, "NAb Run " + form.getRowId() + " does not exist.");
             }
             return response;
         }

From c6703246212f12aa0855ade9a88a83db73073820 Mon Sep 17 00:00:00 2001
From: cnathe <cnathe@labkey.com>
Date: Fri, 12 Jun 2026 13:31:08 -0500
Subject: [PATCH 09/11] Elispot action container scoping

---
 .../src/org/labkey/elispot/ElispotController.java      | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/elispotassay/src/org/labkey/elispot/ElispotController.java b/elispotassay/src/org/labkey/elispot/ElispotController.java
index 3c357b789e..888a37b528 100644
--- a/elispotassay/src/org/labkey/elispot/ElispotController.java
+++ b/elispotassay/src/org/labkey/elispot/ElispotController.java
@@ -16,6 +16,7 @@
 
 package org.labkey.elispot;
 
+import org.apache.commons.lang3.math.NumberUtils;
 import org.jetbrains.annotations.Nullable;
 import org.json.JSONArray;
 import org.json.JSONObject;
@@ -543,6 +544,15 @@ public boolean handlePost(Object o, BindException errors) throws Exception
             Set<String> selections = DataRegionSelection.getSelected(getViewContext(), true);
             if (!selections.isEmpty())
             {
+                // GitHub Kanban #1892: Verify each selected run belongs to the current container before queuing
+                for (String selection : selections)
+                {
+                    int rowId = NumberUtils.toInt(selection, -1);
+                    ExpRun run = rowId != -1 ? ExperimentService.get().getExpRun(rowId, getContainer()) : null;
+                    if (run == null)
+                        throw new NotFoundException("Run " + selection + " does not exist.");
+                }
+
                 ViewBackgroundInfo info = new ViewBackgroundInfo(getContainer(), getUser(), getViewContext().getActionURL());
                 BackgroundSubtractionJob job = new BackgroundSubtractionJob(ElispotPipelineProvider.NAME, info,
                         PipelineService.get().findPipelineRoot(getContainer()), selections);

From 230f619c8761c559a2cb6f1ac9b11da2a82d1b6d Mon Sep 17 00:00:00 2001
From: cnathe <cnathe@labkey.com>
Date: Fri, 12 Jun 2026 13:31:57 -0500
Subject: [PATCH 10/11] Luminex action protocol scoping

---
 .../labkey/luminex/query/GuideSetTable.java   | 14 +++-
 .../tests/luminex/LuminexGuideSetTest.java    | 72 +++++++++++++++++++
 2 files changed, 85 insertions(+), 1 deletion(-)

diff --git a/luminex/src/org/labkey/luminex/query/GuideSetTable.java b/luminex/src/org/labkey/luminex/query/GuideSetTable.java
index cb60701d9f..8b19666e63 100644
--- a/luminex/src/org/labkey/luminex/query/GuideSetTable.java
+++ b/luminex/src/org/labkey/luminex/query/GuideSetTable.java
@@ -51,6 +51,7 @@
 import org.labkey.api.security.UserPrincipal;
 import org.labkey.api.security.permissions.Permission;
 import org.labkey.api.util.HtmlString;
+import org.labkey.api.view.NotFoundException;
 import org.labkey.api.writer.HtmlWriter;
 import org.labkey.luminex.LuminexDataHandler;
 import org.labkey.luminex.model.AnalyteSinglePointControl;
@@ -419,12 +420,23 @@ private static void appendNullableString(SQLFragment sql, String value)
         @Override
         public GuideSet get(User user, Container container, int key)
         {
-            return new TableSelector(LuminexProtocolSchema.getTableInfoGuideSet()).getObject(key, GuideSet.class);
+            GuideSet guideSet = new TableSelector(LuminexProtocolSchema.getTableInfoGuideSet()).getObject(key, GuideSet.class);
+
+            // Guide sets are scoped to the protocol rather than the container (see getContainerFilter), so a RowId
+            // belonging to another protocol must not be accessible through this protocol-scoped schema.
+            if (guideSet != null && guideSet.getProtocolId() != _protocol.getRowId())
+                return null;
+
+            return guideSet;
         }
 
         @Override
         public void delete(User user, Container container, int key)
         {
+            // Verify the requested guide set belongs to this schema's protocol before deleting
+            if (get(user, container, key) == null)
+                throw new NotFoundException("No guide set found for RowId " + key + " in assay design '" + _protocol.getName() + "'");
+
             DbScope scope = LuminexProtocolSchema.getSchema().getScope();
             SimpleFilter filter = new SimpleFilter(FieldKey.fromParts("GuideSetId"), key);
 
diff --git a/luminex/test/src/org/labkey/test/tests/luminex/LuminexGuideSetTest.java b/luminex/test/src/org/labkey/test/tests/luminex/LuminexGuideSetTest.java
index 34355eaf32..a63fdfd83f 100644
--- a/luminex/test/src/org/labkey/test/tests/luminex/LuminexGuideSetTest.java
+++ b/luminex/test/src/org/labkey/test/tests/luminex/LuminexGuideSetTest.java
@@ -17,6 +17,17 @@
 
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
+import org.labkey.api.query.QueryKey;
+import org.labkey.remoteapi.CommandException;
+import org.labkey.remoteapi.Connection;
+import org.labkey.remoteapi.assay.GetProtocolCommand;
+import org.labkey.remoteapi.assay.Protocol;
+import org.labkey.remoteapi.assay.SaveProtocolCommand;
+import org.labkey.remoteapi.query.DeleteRowsCommand;
+import org.labkey.remoteapi.query.Filter;
+import org.labkey.remoteapi.query.InsertRowsCommand;
+import org.labkey.remoteapi.query.SelectRowsCommand;
+import org.labkey.remoteapi.query.SelectRowsResponse;
 import org.labkey.test.BaseWebDriverTest;
 import org.labkey.test.Locator;
 import org.labkey.test.TestFileUtils;
@@ -35,6 +46,7 @@
 
 import java.io.File;
 import java.util.Calendar;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -644,4 +656,64 @@ private void enableDisableQCFlags(String runName, String... flags)
 
         clickButton("Save");
     }
+
+    /*
+        GitHub Kanban #1892: Verify that a user with delete permission in one assay folder can't delete
+        guide sets belonging to a different protocol/folder by passing arbitrary RowIds to the GuideSet delete path.
+     */
+    @Test
+    public void testCrossProtocolGuideSetDeleteDenied() throws Exception
+    {
+        final String assayB = "GuideSetAuthAssayB";
+        final String analyteB = "Auth Analyte";
+        final String folderB = getProjectName() + "/" + TEST_ASSAY_SUBFOLDER;
+        Connection connection = createDefaultConnection();
+
+        log("Create a second Luminex assay design in the subfolder via the API");
+        Protocol protocolB = new GetProtocolCommand("Luminex").execute(connection, folderB).getProtocol();
+        protocolB.setName(assayB).setDescription("Second Luminex design for guide set protocol-auth test");
+        new SaveProtocolCommand(protocolB).execute(connection, folderB);
+
+        final String schemaA = "assay.Luminex." + QueryKey.encodePart(TEST_ASSAY_LUM);
+        final String schemaB = "assay.Luminex." + QueryKey.encodePart(assayB);
+
+        log("Insert a guide set into the second assay design");
+        InsertRowsCommand insertB = new InsertRowsCommand(schemaB, "GuideSet");
+        Map<String, Object> guideSet = new HashMap<>();
+        guideSet.put("AnalyteName", analyteB);
+        guideSet.put("CurrentGuideSet", false);
+        insertB.addRow(guideSet);
+        insertB.execute(connection, folderB);
+        long guideSetIdB = getGuideSetRowId(connection, schemaB, folderB, analyteB);
+
+        log("Attempt to delete the second protocol's guide set (RowId " + guideSetIdB + ") through the first protocol's GuideSet query - must be denied");
+        DeleteRowsCommand crossDelete = new DeleteRowsCommand(schemaA, "GuideSet");
+        Map<String, Object> key = new HashMap<>();
+        key.put("RowId", guideSetIdB);
+        crossDelete.addRow(key);
+        crossDelete.execute(connection, getProjectName());
+        assertEquals("Cross-protocol delete must not remove the other protocol's guide set", 1, guideSetRowCount(connection, schemaB, folderB, guideSetIdB));
+
+        log("Verify the guide set can still be deleted through its own protocol's query");
+        DeleteRowsCommand ownDelete = new DeleteRowsCommand(schemaB, "GuideSet");
+        ownDelete.addRow(key);
+        ownDelete.execute(connection, folderB);
+        assertEquals("Guide set should be deletable through its own protocol's query", 0, guideSetRowCount(connection, schemaB, folderB, guideSetIdB));
+    }
+
+    private int guideSetRowCount(Connection connection, String schema, String folderPath, long rowId) throws Exception
+    {
+        SelectRowsCommand select = new SelectRowsCommand(schema, "GuideSet");
+        select.addFilter(new Filter("RowId", rowId, Filter.Operator.EQUAL));
+        return select.execute(connection, folderPath).getRowCount().intValue();
+    }
+
+    private long getGuideSetRowId(Connection connection, String schema, String folderPath, String analyteName) throws Exception
+    {
+        SelectRowsCommand select = new SelectRowsCommand(schema, "GuideSet");
+        select.addFilter(new Filter("AnalyteName", analyteName, Filter.Operator.EQUAL));
+        SelectRowsResponse response = select.execute(connection, folderPath);
+        assertEquals("Expected exactly one guide set for analyte " + analyteName, 1, response.getRowCount().intValue());
+        return ((Number) response.getRowset().iterator().next().getValue("RowId")).longValue();
+    }
 }

From 6fe6bad02bfd442b781c244dfa4844ac394a3ad0 Mon Sep 17 00:00:00 2001
From: labkey-nicka <nickk@labkey.com>
Date: Fri, 12 Jun 2026 12:23:29 -0700
Subject: [PATCH 11/11] Flow container scope

---
 .../controllers/executescript/AnalysisScriptController.java | 6 ++++++
 .../org/labkey/flow/controllers/well/WellController.java    | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/flow/src/org/labkey/flow/controllers/executescript/AnalysisScriptController.java b/flow/src/org/labkey/flow/controllers/executescript/AnalysisScriptController.java
index 563620e615..8e901c4657 100644
--- a/flow/src/org/labkey/flow/controllers/executescript/AnalysisScriptController.java
+++ b/flow/src/org/labkey/flow/controllers/executescript/AnalysisScriptController.java
@@ -867,6 +867,12 @@ private SampleIdMap<FlowFCSFile> getSelectedFCSFiles(ImportAnalysisForm form, Er
                             return null;
                         }
 
+                        if (!file.getContainer().equals(getContainer()))
+                        {
+                            errors.reject(ERROR_MSG, "Resolved FCS file '" + file.getName() + "' is not in this folder.");
+                            return null;
+                        }
+
                         if (!file.isOriginalFCSFile())
                         {
                             errors.reject(ERROR_MSG, "Resolved FCS file '" + file.getName() + "' is a FCS files created from importing an external analysis.");
diff --git a/flow/src/org/labkey/flow/controllers/well/WellController.java b/flow/src/org/labkey/flow/controllers/well/WellController.java
index fce017b127..366365f472 100644
--- a/flow/src/org/labkey/flow/controllers/well/WellController.java
+++ b/flow/src/org/labkey/flow/controllers/well/WellController.java
@@ -305,7 +305,9 @@ public ModelAndView getView(EditWellForm form, boolean reshow, BindException err
 
                     for (String wellId : selected)
                     {
-                        _wells.add(FlowWell.fromWellId(Integer.parseInt(wellId)));
+                        FlowWell well = FlowWell.fromWellId(Integer.parseInt(wellId));
+                        well.checkContainer(getContainer(), getUser(), getActionURL());
+                        _wells.add(well);
                     }
                     DataRegionSelection.clearAll(form.getViewContext());
                 }