90297a90d259da8b7e7d48e7bf8600994e6a09a6
hiram
  Wed Jun 10 07:23:05 2026 -0700
minor fixups per claude code review refs #31811

diff --git src/hg/utils/otto/userRequests/ottoRequestView.cgi src/hg/utils/otto/userRequests/ottoRequestView.cgi
index 62467287688..7d19cddc8e9 100644
--- src/hg/utils/otto/userRequests/ottoRequestView.cgi
+++ src/hg/utils/otto/userRequests/ottoRequestView.cgi
@@ -1,23 +1,21 @@
 #!/usr/bin/env python3
 """ottoRequestView.cgi - web view of hgcentraltest.ottoRequest.
 
 Read-only display of every row in the table, plus a per-row 'reset
 status' control that is the only write path exposed.
 
-Access is restricted to a single IP (UCSC VPN, 128.114.198.5).
-Any other REMOTE_ADDR gets a 403.
 """
 
 import cgi
 import html
 import json
 import os
 import re
 import subprocess
 import sys
 import time
 import urllib.parse
 from datetime import datetime
 
 TRASH        = '/data/apache/trash'
 TABLE        = 'ottoRequest'
@@ -26,30 +24,32 @@
 HGDB_CONF = None
 DB = None
 USE_PROFILE = None
 
 # Galaxy queue status panel - snapshot is refreshed by ottoRequestWatch.sh
 # (cron, every 11 minutes), CGI just reads it.
 CACHE_PATH = '/data/apache/trash/ottoRequestGalaxyStatus.json'
 CACHE_TTL  = 1800  # seconds; older than this -> show "stale" instead
 
 # featureBits coverage snapshot - append-only file maintained by
 # featureBitsSnapshot.py (cron, via ottoRequestWatch.sh).  fb.*.txt
 # values are immutable once an alignment completes so no TTL is needed;
 # featureBitsPct() falls back to an NFS read on a snapshot miss.
 FB_SNAPSHOT_PATH = '/data/apache/trash/ottoRequestFeatureBitsPct.json'
 
+# keep this liftStatus and asmStatus lists at the same length so that
+#   the verification check in doResetStatus() will function on just liftStatus
 liftStatus = {
     0: 'received by API',
     1: 'acknowledged, email sent',
     2: 'galaxy job started',
     3: 'galaxy done, download started',
     4: 'downloaded, track files made',
     5: 'symlinks ready, awaiting push',
     6: 'push complete',
     7: 'ERROR',
     8: 'COMPLETE (final email sent)',
 }
 
 asmStatus = {
     0: 'received by API',
     1: 'acknowledged, email sent',
@@ -134,30 +134,32 @@
     return (r.returncode == 0, r.stdout, r.stderr)
 
 
 def fetchRows():
     sql = f"SELECT {','.join(COLS)} FROM {TABLE} ORDER BY id DESC"
     ok, out, err = hgsqlRun(sql)
     if not ok:
         raise RuntimeError(err.strip() or 'hgsql failed')
     rows = []
     if out.strip():
         for line in out.rstrip('\n').split('\n'):
             rows.append([unescapeMysql(f) for f in line.split('\t')])
     return rows
 
 
+# the verification of 'stat' here against liftStatus works for both
+# the liftStatus and asmStatus lists because they are kept at the same length
 def doResetStatus(form):
     rid  = form.getfirst('id', '')
     stat = form.getfirst('status', '')
     if not rid.isdigit():
         return None, f"bad id: {rid!r}"
     if not stat.isdigit() or int(stat) not in liftStatus:
         return None, f"bad status: {stat!r}"
     sql = (f"UPDATE {TABLE} SET status = {int(stat)} "
            f"WHERE id = {int(rid)}")
     ok, _out, err = hgsqlRun(sql)
     if not ok:
         return None, err.strip() or 'hgsql update failed'
     return (f"id={rid} status set to {stat} "
             f"({liftStatus[int(stat)]})"), None