Remove possibility to create a Virtual Study by anonymous user

[forus]

This feature makes the system vulnerable to DoS attacks.

Frontend: disable the button for anonymous users. Show popup "You have to Login to create a Virtual Study"

Backend: These 2 endpoints have to be closed for anonymous users:

• SessionServiceController#addSession(...) https://github.com/cBioPortal/cbioportal/blob/rfc83/src/main/java/org/cbioportal/web/SessionServiceController.java#L282
• SessionServiceController#addUserSavedVirtualStudy(...) https://github.com/cBioPortal/cbioportal/blob/rfc83/src/main/java/org/cbioportal/web/SessionServiceController.java#L288

[inodb]

@forus this sounds like a good idea! Thanks for posting!

[forus]

remember to update the FAQ answer here https://docs.cbioportal.org/user-guide/faq/#is-it-necessary-to-log-in-to-use-virtual-studies-if-i-do-log-in-what-additional-functionality-do-i-gain

[forus]

After fixing this issue, evaluate whether sanitization like this will become obsolete https://github.com/cBioPortal/cbioportal/commit/6d94d9b9de1ca30db9bc818971673ea4316b92be (not part of the main branch)

Anonymous users must be unable to specify the owner and users fields.