fix: fill requester name/email from authenticated user, not form payload

Remove requester_name and requester_email from ToolRequestFormData and
populate them server-side from trans.user to prevent spoofing.
Update integration tests and regenerate API schema accordingly.

Author: arash77

client/src/api/schema/schema.ts

@@ -23632,16 +23632,6 @@ export interface components {
              * @description The affiliation/lab of the requester.
              */
             requester_affiliation?: string | null;
-            /**
-             * Requester email
-             * @description The email address of the requester for follow-up.
-             */
-            requester_email?: string | null;
-            /**
-             * Requester name
-             * @description The name of the person requesting the tool.
-             */
-            requester_name: string;
             /**
              * Scientific domain
              * @description The scientific domain for the requested tool.

lib/galaxy/webapps/galaxy/services/tool_request_form.py

@@ -53,10 +53,6 @@ class ToolRequestFormData(Model):
     test_data_available: Optional[bool] = Field(
         None, title="Test data available", description="Whether test data for this tool is available."
     )
-    requester_name: str = Field(..., title="Requester name", description="The name of the person requesting the tool.")
-    requester_email: Optional[str] = Field(
-        None, title="Requester email", description="The email address of the requester for follow-up."
-    )
     requester_affiliation: Optional[str] = Field(
         None, title="Requester affiliation", description="The affiliation/lab of the requester."
     )
@@ -98,7 +94,7 @@ def submit_tool_request(self, trans: ProvidesUserContext, payload: ToolRequestFo
         if not self.config.enable_tool_request_form:
             raise ServerNotConfiguredForRequest("The tool request form is not enabled in the configuration.")
 
-        if trans.anonymous:
+        if trans.anonymous or trans.user is None:
             raise AuthenticationRequired("You must be logged in to submit a tool request.")
 
         if not self.config.enable_notification_system:
@@ -116,8 +112,8 @@ def submit_tool_request(self, trans: ProvidesUserContext, payload: ToolRequestFo
             requested_version=payload.requested_version,
             conda_available=payload.conda_available,
             test_data_available=payload.test_data_available,
-            requester_name=payload.requester_name,
-            requester_email=payload.requester_email,
+            requester_name=trans.user.username,
+            requester_email=trans.user.email,
             requester_affiliation=payload.requester_affiliation,
             tool_ids=payload.tool_ids,
             workflow_name=payload.workflow_name,

test/integration/test_tool_request_form.py

@@ -11,8 +11,6 @@
     "requested_version": "0.12.1",
     "conda_available": True,
     "test_data_available": True,
-    "requester_name": "Dr. Smith",
-    "requester_email": "smith@example.com",
     "requester_affiliation": "Example University",
 }
 
@@ -63,9 +61,16 @@ def test_admin_receives_notification_after_submission(self):
             len(tool_request_notifications) >= 1
         ), f"Expected at least one tool_request notification for admin, got: {notifications}"
 
-        notification = tool_request_notifications[0]
+        sender_notifications = [
+            n for n in tool_request_notifications if n["content"].get("requester_email") == user["email"]
+        ]
+        assert (
+            len(sender_notifications) >= 1
+        ), f"Expected notification from {user['email']}, got: {tool_request_notifications}"
+        notification = sender_notifications[0]
         assert notification["content"]["tool_name"] == TOOL_REQUEST_PAYLOAD["tool_name"]
-        assert notification["content"]["requester_name"] == TOOL_REQUEST_PAYLOAD["requester_name"]
+        assert notification["content"]["requester_name"] == user["username"]
+        assert notification["content"]["requester_email"] == user["email"]
         assert notification["content"]["description"] == TOOL_REQUEST_PAYLOAD["description"]
 
     def test_missing_required_fields_returns_400(self):
@@ -74,19 +79,18 @@ def test_missing_required_fields_returns_400(self):
         with self._different_user(user["email"]):
             # Missing tool_name and description (both required)
             incomplete_payload = {
-                "requester_name": "Dr. Smith",
+                "requester_affiliation": "Example University",
             }
             response = self._post("tool_request_form", data=incomplete_payload, json=True)
             self._assert_status_code_is(response, 400)
 
     def test_minimal_payload_succeeds(self):
-        """Only required fields should be enough to submit."""
+        """Only required fields (tool_name, description) should be enough to submit."""
         user = self._setup_user("tool_request_minimal@galaxy.test")
         with self._different_user(user["email"]):
             minimal_payload = {
                 "tool_name": "Samtools",
                 "description": "Tools for manipulating alignments in SAM format.",
-                "requester_name": "Dr. Jones",
             }
             response = self._post("tool_request_form", data=minimal_payload, json=True)
             self._assert_status_code_is(response, 204)
@@ -101,7 +105,6 @@ def test_workflow_install_request_with_tool_ids(self):
                 "but not installed: toolshed.g2.bx.psu.edu/repos/devteam/bwa/bwa/0.7.17, "
                 "toolshed.g2.bx.psu.edu/repos/devteam/samtools/samtools/1.13."
             ),
-            "requester_name": "Dr. Smith",
             "tool_ids": [
                 "toolshed.g2.bx.psu.edu/repos/devteam/bwa/bwa/0.7.17",
                 "toolshed.g2.bx.psu.edu/repos/devteam/samtools/samtools/1.13",