src/lib/cheapcgi.c d338d5080783d2ac5828658fe17160668bf64cdb

d338d5080783d2ac5828658fe17160668bf64cdb
chmalee
  Thu May 7 15:05:24 2026 -0700
Fixes from code review, refs #37500

- Revalidate shared myVariants tracks against hgcentral on every read
path (hgTracks, hgc, hgTables); cart-supplied owner/db/project no
longer trusted. New myVariantsResolveSharedTrack helper.
- Scope shared-track UPDATE statements by share->project/db so a
recipient can't edit rows outside the granted scope.
- Add hgsid CSRF check to myVariantsJsCommand; pass hgsid in the
hgTracks.js highlight Add-Annotation POST.
- HTML-escape owner-controlled fields in the canEdit branch of
doMyVariantsDetails (Chromosome, Project, project select options,
hidden text input).
- Validate targetUser against gbMembers when creating a share; return
a clear 400 on typos.
- Replace the concat(id,' ',name)='%s' lookup with parsed-id +
name verification.
- Remove cgiMakeColorVar / cgiMakeColorVarWithLabel; the canEdit form
uses spectrum.js (already loaded for the create dialog).
- Strip _hidden_* columns from hgTables field lists for shared tracks,
both the display path and the selected-fields read path.
- Make the per-assembly invariant explicit: myVariantsLoadItems and
doMyVariantsDetails bail out if share->db != current database.
- Memoize myVariantsSharedScopeWhere to avoid per-region hgcentral
round-trips on genome-wide hgTables queries.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

diff --git src/lib/cheapcgi.c src/lib/cheapcgi.c
index 0598370c700..0aaa8ebd1db 100644
--- src/lib/cheapcgi.c
+++ src/lib/cheapcgi.c
@@ -2140,43 +2140,30 @@
 cgiMakeIntVarInRange(varName,initialVal,title,width,minStr,NULL);
 }
 
 void cgiMakeIntVarWithMax(char *varName, int initialVal, char *title, int width, int max)
 {
 char maxLimit[20];
 char *maxStr=NULL;
 if (max != NO_VALUE)
     {
     safef(maxLimit,sizeof(maxLimit),"%d",max);
     maxStr = maxLimit;
     }
 cgiMakeIntVarInRange(varName,initialVal,title,width,NULL,maxStr);
 }
 
-void cgiMakeColorVar(char *varName, char *initialColor)
-/* Make a color input picker using the native color picker. initialColor is a hexval string */
-{
-printf("<input type=color name=\"%s\" id=\"%s\" value=\"%s\">\n", varName, varName, initialColor);
-}
-
-void cgiMakeColorVarWithLabel(char *varName, char *label, char *initialColor, boolean boldLabel)
-/* Make an input color picker labeled by label */
-{
-printf("<label for=\"%s\">%s%s:%s</label>\n", varName, boldLabel ? "<b>": "", label, boldLabel ? "</b>": "");
-cgiMakeColorVar(varName, initialColor);
-}
-
 void cgiMakeDoubleVar(char *varName, double initialVal, int maxDigits)
 /* Make a text control filled with initial floating-point value.  */
 {
 if (maxDigits == 0) maxDigits = 4;
 
 printf("<INPUT TYPE=TEXT NAME=\"%s\" SIZE=%d VALUE=%g>", varName,
         maxDigits, initialVal);
 }
 
 void cgiMakeDoubleVarWithExtra(char *varName, double initialVal, int maxDigits, char *extra)
 /* Make a text control filled with initial value and optional extra HTML.  */
 {
 if (maxDigits == 0) maxDigits = 4;
 printf("<INPUT TYPE=TEXT NAME=\"%s\" SIZE=%d VALUE=%g %s>", varName,
         maxDigits, initialVal, emptyForNull(extra));