December 2014 - galaxy-commits - lists.galaxyproject.org

commit/galaxy-central: jmchilton: Merged in martenson/galaxy-central-marten/stable (pull request #592)
by commits-noreply＠bitbucket.org 05 Dec '14

05 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/8e45b1cefba1/ Changeset: 8e45b1cefba1 Branch: stable User: jmchilton Date: 2014-12-05 16:57:27+00:00 Summary: Merged in martenson/galaxy-central-marten/stable (pull request #592) [STABLE] disable mobile version of the website Affected #: 1 file diff -r f76fb3c40d55adf4f84acfdf26194d323f860df6 -r 8e45b1cefba16727d4d3a7d0dceaaaf1ef400a0c lib/galaxy/webapps/galaxy/controllers/mobile.py --- a/lib/galaxy/webapps/galaxy/controllers/mobile.py +++ b/lib/galaxy/webapps/galaxy/controllers/mobile.py @@ -1,60 +1,71 @@ +from galaxy import web from galaxy.web.base.controller import * + class Mobile( BaseUIController ): + @web.expose def index( self, trans, **kwargs ): - return trans.fill_template( "mobile/index.mako" ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # return trans.fill_template( "mobile/index.mako" ) @web.expose def history_list( self, trans ): - return trans.fill_template( "mobile/history/list.mako" ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # return trans.fill_template( "mobile/history/list.mako" ) @web.expose def history_detail( self, trans, id ): - history = trans.sa_session.query( trans.app.model.History ).get( id ) - assert history.user == trans.user - return trans.fill_template( "mobile/history/detail.mako", history=history ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # history = trans.sa_session.query( trans.app.model.History ).get( id ) + # assert history.user == trans.user + # return trans.fill_template( "mobile/history/detail.mako", history=history ) @web.expose def dataset_detail( self, trans, id ): - dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) - assert dataset.history.user == trans.user - return trans.fill_template( "mobile/dataset/detail.mako", dataset=dataset ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) + # assert dataset.history.user == trans.user + # return trans.fill_template( "mobile/dataset/detail.mako", dataset=dataset ) @web.expose def dataset_peek( self, trans, id ): - dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) - assert dataset.history.user == trans.user - return trans.fill_template( "mobile/dataset/peek.mako", dataset=dataset ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) + # assert dataset.history.user == trans.user + # return trans.fill_template( "mobile/dataset/peek.mako", dataset=dataset ) @web.expose def settings( self, trans, email=None, password=None ): - message = None - if email is not None and password is not None: - if email == "": - self.__logout( trans ) - message = "Logged out" - else: - error = self.__login( trans, email, password ) - message = error or "Login changed" - return trans.fill_template( "mobile/settings.mako", message=message ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # message = None + # if email is not None and password is not None: + # if email == "": + # self.__logout( trans ) + # message = "Logged out" + # else: + # error = self.__login( trans, email, password ) + # message = error or "Login changed" + # return trans.fill_template( "mobile/settings.mako", message=message ) def __logout( self, trans ): - trans.log_event( "User logged out" ) - trans.handle_user_logout() + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # trans.log_event( "User logged out" ) + # trans.handle_user_logout() def __login( self, trans, email="", password="" ): - error = password_error = None - user = trans.sa_session.query( model.User ).filter_by( email = email ).first() - if not user: - error = "No such user (please note that login is case sensitive)" - elif user.deleted: - error = "This account has been marked deleted, contact your Galaxy administrator to restore the account." - elif user.external: - error = "This account was created for use with an external authentication method, contact your local Galaxy administrator to activate it." - elif not user.check_password( password ): - error = "Invalid password" - else: - trans.handle_user_login( user ) - trans.log_event( "User logged in" ) - return error + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # error = password_error = None + # user = trans.sa_session.query( model.User ).filter_by( email = email ).first() + # if not user: + # error = "No such user (please note that login is case sensitive)" + # elif user.deleted: + # error = "This account has been marked deleted, contact your Galaxy administrator to restore the account." + # elif user.external: + # error = "This account was created for use with an external authentication method, contact your local Galaxy administrator to activate it." + # elif not user.check_password( password ): + # error = "Invalid password" + # else: + # trans.handle_user_login( user ) + # trans.log_event( "User logged in" ) + # return error Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 2 new changesets
by commits-noreply＠bitbucket.org 05 Dec '14

05 Dec '14

2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/4835a8c8f01f/ Changeset: 4835a8c8f01f Branch: stable User: martenson Date: 2014-12-04 17:00:38+00:00 Summary: Mobile version of galaxy at /mobile can't be navigated (many dead links etc.), the templates/controllers are completely unescaped so I am disabling it completely for now, until we fix or remove it. Redirect to index from every used URL. Affected #: 1 file diff -r 295fd99b1d578e4d58af673259b95e703750f757 -r 4835a8c8f01f7a20a956bccec928c02f47cfe321 lib/galaxy/webapps/galaxy/controllers/mobile.py --- a/lib/galaxy/webapps/galaxy/controllers/mobile.py +++ b/lib/galaxy/webapps/galaxy/controllers/mobile.py @@ -1,60 +1,71 @@ +from galaxy import web from galaxy.web.base.controller import * + class Mobile( BaseUIController ): + @web.expose def index( self, trans, **kwargs ): - return trans.fill_template( "mobile/index.mako" ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # return trans.fill_template( "mobile/index.mako" ) @web.expose def history_list( self, trans ): - return trans.fill_template( "mobile/history/list.mako" ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # return trans.fill_template( "mobile/history/list.mako" ) @web.expose def history_detail( self, trans, id ): - history = trans.sa_session.query( trans.app.model.History ).get( id ) - assert history.user == trans.user - return trans.fill_template( "mobile/history/detail.mako", history=history ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # history = trans.sa_session.query( trans.app.model.History ).get( id ) + # assert history.user == trans.user + # return trans.fill_template( "mobile/history/detail.mako", history=history ) @web.expose def dataset_detail( self, trans, id ): - dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) - assert dataset.history.user == trans.user - return trans.fill_template( "mobile/dataset/detail.mako", dataset=dataset ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) + # assert dataset.history.user == trans.user + # return trans.fill_template( "mobile/dataset/detail.mako", dataset=dataset ) @web.expose def dataset_peek( self, trans, id ): - dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) - assert dataset.history.user == trans.user - return trans.fill_template( "mobile/dataset/peek.mako", dataset=dataset ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) + # assert dataset.history.user == trans.user + # return trans.fill_template( "mobile/dataset/peek.mako", dataset=dataset ) @web.expose def settings( self, trans, email=None, password=None ): - message = None - if email is not None and password is not None: - if email == "": - self.__logout( trans ) - message = "Logged out" - else: - error = self.__login( trans, email, password ) - message = error or "Login changed" - return trans.fill_template( "mobile/settings.mako", message=message ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # message = None + # if email is not None and password is not None: + # if email == "": + # self.__logout( trans ) + # message = "Logged out" + # else: + # error = self.__login( trans, email, password ) + # message = error or "Login changed" + # return trans.fill_template( "mobile/settings.mako", message=message ) def __logout( self, trans ): - trans.log_event( "User logged out" ) - trans.handle_user_logout() + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # trans.log_event( "User logged out" ) + # trans.handle_user_logout() def __login( self, trans, email="", password="" ): - error = password_error = None - user = trans.sa_session.query( model.User ).filter_by( email = email ).first() - if not user: - error = "No such user (please note that login is case sensitive)" - elif user.deleted: - error = "This account has been marked deleted, contact your Galaxy administrator to restore the account." - elif user.external: - error = "This account was created for use with an external authentication method, contact your local Galaxy administrator to activate it." - elif not user.check_password( password ): - error = "Invalid password" - else: - trans.handle_user_login( user ) - trans.log_event( "User logged in" ) - return error + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # error = password_error = None + # user = trans.sa_session.query( model.User ).filter_by( email = email ).first() + # if not user: + # error = "No such user (please note that login is case sensitive)" + # elif user.deleted: + # error = "This account has been marked deleted, contact your Galaxy administrator to restore the account." + # elif user.external: + # error = "This account was created for use with an external authentication method, contact your local Galaxy administrator to activate it." + # elif not user.check_password( password ): + # error = "Invalid password" + # else: + # trans.handle_user_login( user ) + # trans.log_event( "User logged in" ) + # return error https://bitbucket.org/galaxy/galaxy-central/commits/8e45b1cefba1/ Changeset: 8e45b1cefba1 Branch: stable User: jmchilton Date: 2014-12-05 16:57:27+00:00 Summary: Merged in martenson/galaxy-central-marten/stable (pull request #592) [STABLE] disable mobile version of the website Affected #: 1 file diff -r f76fb3c40d55adf4f84acfdf26194d323f860df6 -r 8e45b1cefba16727d4d3a7d0dceaaaf1ef400a0c lib/galaxy/webapps/galaxy/controllers/mobile.py --- a/lib/galaxy/webapps/galaxy/controllers/mobile.py +++ b/lib/galaxy/webapps/galaxy/controllers/mobile.py @@ -1,60 +1,71 @@ +from galaxy import web from galaxy.web.base.controller import * + class Mobile( BaseUIController ): + @web.expose def index( self, trans, **kwargs ): - return trans.fill_template( "mobile/index.mako" ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # return trans.fill_template( "mobile/index.mako" ) @web.expose def history_list( self, trans ): - return trans.fill_template( "mobile/history/list.mako" ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # return trans.fill_template( "mobile/history/list.mako" ) @web.expose def history_detail( self, trans, id ): - history = trans.sa_session.query( trans.app.model.History ).get( id ) - assert history.user == trans.user - return trans.fill_template( "mobile/history/detail.mako", history=history ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # history = trans.sa_session.query( trans.app.model.History ).get( id ) + # assert history.user == trans.user + # return trans.fill_template( "mobile/history/detail.mako", history=history ) @web.expose def dataset_detail( self, trans, id ): - dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) - assert dataset.history.user == trans.user - return trans.fill_template( "mobile/dataset/detail.mako", dataset=dataset ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) + # assert dataset.history.user == trans.user + # return trans.fill_template( "mobile/dataset/detail.mako", dataset=dataset ) @web.expose def dataset_peek( self, trans, id ): - dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) - assert dataset.history.user == trans.user - return trans.fill_template( "mobile/dataset/peek.mako", dataset=dataset ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) + # assert dataset.history.user == trans.user + # return trans.fill_template( "mobile/dataset/peek.mako", dataset=dataset ) @web.expose def settings( self, trans, email=None, password=None ): - message = None - if email is not None and password is not None: - if email == "": - self.__logout( trans ) - message = "Logged out" - else: - error = self.__login( trans, email, password ) - message = error or "Login changed" - return trans.fill_template( "mobile/settings.mako", message=message ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # message = None + # if email is not None and password is not None: + # if email == "": + # self.__logout( trans ) + # message = "Logged out" + # else: + # error = self.__login( trans, email, password ) + # message = error or "Login changed" + # return trans.fill_template( "mobile/settings.mako", message=message ) def __logout( self, trans ): - trans.log_event( "User logged out" ) - trans.handle_user_logout() + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # trans.log_event( "User logged out" ) + # trans.handle_user_logout() def __login( self, trans, email="", password="" ): - error = password_error = None - user = trans.sa_session.query( model.User ).filter_by( email = email ).first() - if not user: - error = "No such user (please note that login is case sensitive)" - elif user.deleted: - error = "This account has been marked deleted, contact your Galaxy administrator to restore the account." - elif user.external: - error = "This account was created for use with an external authentication method, contact your local Galaxy administrator to activate it." - elif not user.check_password( password ): - error = "Invalid password" - else: - trans.handle_user_login( user ) - trans.log_event( "User logged in" ) - return error + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # error = password_error = None + # user = trans.sa_session.query( model.User ).filter_by( email = email ).first() + # if not user: + # error = "No such user (please note that login is case sensitive)" + # elif user.deleted: + # error = "This account has been marked deleted, contact your Galaxy administrator to restore the account." + # elif user.external: + # error = "This account was created for use with an external authentication method, contact your local Galaxy administrator to activate it." + # elif not user.check_password( password ): + # error = "Invalid password" + # else: + # trans.handle_user_login( user ) + # trans.log_event( "User logged in" ) + # return error Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: martenson: Merged in natefoo/galaxy-central/stable (pull request #588)
by commits-noreply＠bitbucket.org 05 Dec '14

05 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/f76fb3c40d55/ Changeset: f76fb3c40d55 Branch: stable User: martenson Date: 2014-12-05 16:54:22+00:00 Summary: Merged in natefoo/galaxy-central/stable (pull request #588) [STABLE] XSS fixes for remaining user templates and a few other security fixes Affected #: 6 files diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 lib/galaxy/tools/filters/__init__.py --- a/lib/galaxy/tools/filters/__init__.py +++ b/lib/galaxy/tools/filters/__init__.py @@ -1,6 +1,10 @@ +import logging from galaxy.util import listify from copy import deepcopy +log = logging.getLogger( __name__ ) + + class FilterFactory( object ): """ An instance of this class is responsible for filtering the list @@ -37,17 +41,21 @@ elif name == 'toolbox_label_filters': category = "label" if category: - self.__init_filters( category, user_filters, filters ) + validate = getattr( trans.app.config, 'user_%s_filters' % category, [] ) + self.__init_filters( category, user_filters, filters, validate=validate ) else: if kwds.get( "trackster", False ): filters[ "tool" ].append( _has_trackster_conf ) return filters - def __init_filters( self, key, filters, toolbox_filters ): + def __init_filters( self, key, filters, toolbox_filters, validate=None ): for filter in filters: - filter_function = self.__build_filter_function( filter ) - toolbox_filters[ key ].append( filter_function ) + if validate is None or filter in validate or filter in self.default_filters: + filter_function = self.__build_filter_function( filter ) + toolbox_filters[ key ].append( filter_function ) + else: + log.warning( "Refusing to load %s filter '%s' which is not defined in config", key, filter ) return toolbox_filters def __build_filter_function( self, filter_name ): diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -295,7 +295,7 @@ message=message, status='info' ) ) if redirect: - return trans.response.send_redirect( redirect ) + return trans.response.send_redirect( self.__get_redirect_url( redirect ) ) return trans.response.send_redirect( url_for( controller='user', action='openid_manage', use_panels=use_panels, @@ -347,7 +347,7 @@ message=message, status='info' ) ) if redirect: - return trans.response.send_redirect( redirect ) + return trans.response.send_redirect( self.__get_redirect_url( redirect ) ) return trans.response.send_redirect( url_for( controller='user', action='openid_manage', use_panels=use_panels, @@ -453,7 +453,7 @@ redirect = self.__get_redirect_url( kwd.get( 'redirect', trans.request.referer ).strip() ) redirect_url = '' # always start with redirect_url being empty use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) header = '' user = trans.user @@ -606,7 +606,7 @@ refresh_frames = [ 'masthead' ] trans.handle_user_logout( logout_all=logout_all ) message = 'You have been logged out.<br>You can log in again, <a target="_top" href="%s">go back to the page you were visiting</a> or <a target="_top" href="%s">go to the home page</a>.' % \ - ( trans.request.referer, url_for( '/' ) ) + ( escape( trans.request.referer ), url_for( '/' ) ) if biostar.biostar_logged_in( trans ): biostar_url = biostar.biostar_logout( trans ) if biostar_url: @@ -629,7 +629,7 @@ if honeypot_field != '': return trans.show_error_message( "You've been flagged as a possible bot. If you are not, please try registering again and fill the form out carefully. <a target=\"_top\" href=\"%s\">Go to the home page</a>." ) % url_for( '/' ) - message = util.restore_text( params.get( 'message', '' ) ) + message = escape( util.restore_text( params.get( 'message', '' ) ) ) status = params.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', True ) ) email = util.restore_text( params.get( 'email', '' ) ) @@ -659,9 +659,11 @@ # Create the user, save all the user info and login to Galaxy if params.get( 'create_user_button', False ): # Check email and password validity + # Note: message does not need to be escaped (it is clean) message = self.__validate( trans, params, email, password, confirm, username ) if not message: # All the values are valid + # message does not need to be escaped here either message, status, user, success = self.__register( trans, cntrller, subscribe_checked, @@ -675,7 +677,7 @@ trans.log_event( "User created a new account" ) trans.log_event( "User logged in" ) if success and is_admin: - message = 'Created new user account (%s)' % user.email + message = 'Created new user account (%s)' % escape( user.email ) trans.response.send_redirect( web.url_for( controller='admin', action='users', cntrller=cntrller, @@ -743,7 +745,7 @@ if subscribe_checked: # subscribe user to email list if trans.app.config.smtp_server is None: - error = "Now logged in as " + user.email + ". However, subscribing to the mailing list has failed because mail is not configured for this Galaxy instance. <br>Please contact your local Galaxy administrator." + error = "Now logged in as " + escape( user.email ) + ". However, subscribing to the mailing list has failed because mail is not configured for this Galaxy instance. <br>Please contact your local Galaxy administrator." else: body = 'Join Mailing list.\n' to = trans.app.config.mailing_join_addr @@ -752,7 +754,7 @@ try: util.send_mail( frm, to, subject, body, trans.app.config ) except: - error = "Now logged in as " + user.email + ". However, subscribing to the mailing list has failed." + error = "Now logged in as " + escape( user.email ) + ". However, subscribing to the mailing list has failed." if not error and not is_admin: # The handle_user_login() method has a call to the history_set_default_permissions() method # (needed when logging in with a history), user needs to have default permissions set before logging in @@ -762,7 +764,7 @@ elif not error: trans.response.send_redirect( web.url_for( controller='admin', action='users', - message='Created new user account (%s)' % user.email, + message='Created new user account (%s)' % escape( user.email ), status=status ) ) if error: message = error @@ -772,7 +774,7 @@ if trans.webapp.name == 'galaxy' and trans.app.config.user_activation_on: is_activation_sent = self.send_verification_email( trans, email, username ) if is_activation_sent: - message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True else: message = 'Unable to send activation email, please contact your local Galaxy administrator.' @@ -780,7 +782,7 @@ message += ' Contact: %s' % trans.app.config.error_email_to success = False else: # User activation is OFF, proceed without sending the activation email. - message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True return ( message, status, user, success ) @@ -970,7 +972,7 @@ user.username = username trans.sa_session.add( user ) trans.sa_session.flush() - message = 'The username has been updated with the changes.' + message = 'The username has been updated to: %s' % escape( username ) return trans.fill_template( '/user/username.mako', cntrller=cntrller, user=user, @@ -1177,7 +1179,7 @@ message = 'Default new history permissions have been changed.' return trans.fill_template( 'user/permissions.mako', cntrller=cntrller, - message=message, + message=escape( message ), status=status ) else: # User not logged in, history group must be only public @@ -1228,57 +1230,48 @@ filters.append( dict( filterpath=filter_name, short_desc=sdesc, desc=description, checked=False ) ) return filters - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + saved_user_tool_filters = list() + saved_user_section_filters = list() + saved_user_label_filters = list() - user_id = params.get( 'user_id', False ) - if user_id: - user = trans.sa_session.query( trans.app.model.User ).get( trans.security.decode_id( user_id ) ) - else: - user = trans.user + for name, value in trans.user.preferences.items(): + if name == 'toolbox_tool_filters': + saved_user_tool_filters = listify( value, do_strip=True ) + elif name == 'toolbox_section_filters': + saved_user_section_filters = listify( value, do_strip=True ) + elif name == 'toolbox_label_filters': + saved_user_label_filters = listify( value, do_strip=True ) - if user: - saved_user_tool_filters = list() - saved_user_section_filters = list() - saved_user_label_filters = list() + tool_filters = get_filter_mapping( saved_user_tool_filters, trans.app.config.user_tool_filters ) + section_filters = get_filter_mapping( saved_user_section_filters, trans.app.config.user_section_filters ) + label_filters = get_filter_mapping( saved_user_label_filters, trans.app.config.user_label_filters ) - for name, value in user.preferences.items(): - if name == 'toolbox_tool_filters': - saved_user_tool_filters = listify( value, do_strip=True ) - elif name == 'toolbox_section_filters': - saved_user_section_filters = listify( value, do_strip=True ) - elif name == 'toolbox_label_filters': - saved_user_label_filters = listify( value, do_strip=True ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) + status = util.restore_text( kwd.get( 'status', 'done' ) ) - tool_filters = get_filter_mapping( saved_user_tool_filters, trans.app.config.user_tool_filters ) - section_filters = get_filter_mapping( saved_user_section_filters, trans.app.config.user_section_filters ) - label_filters = get_filter_mapping( saved_user_label_filters, trans.app.config.user_label_filters ) - - return trans.fill_template( 'user/toolbox_filters.mako', - cntrller=cntrller, - message=message, - tool_filters=tool_filters, - section_filters=section_filters, - label_filters=label_filters, - user=user, - status=status ) - else: - # User not logged in, history group must be only public - return trans.show_error_message( "You must be logged in to change private toolbox filters." ) + return trans.fill_template( 'user/toolbox_filters.mako', + cntrller=cntrller, + message=message, + tool_filters=tool_filters, + section_filters=section_filters, + label_filters=label_filters, + user=trans.user, + status=status) @web.expose @web.require_login( "to change the private toolbox filters" ) def edit_toolbox_filters( self, trans, cntrller, **kwd ): + def validate( user_filters, filter_type ): + rval = [] + config_filters = getattr( trans.app.config, 'user_%s_filters' % filter_type, [] ) + for f in user_filters: + if f not in config_filters: + log.warning( 'User provided filter %s which is not in user_%s_filters', f, filter_type ) + else: + rval.append( f ) + return rval + params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - user_id = params.get( 'user_id', False ) - if not user_id: - # User must be logged in to create a new address - return trans.show_error_message( "You must be logged in to change the ToolBox filters." ) - - user = trans.sa_session.query( trans.app.model.User ).get( trans.security.decode_id( user_id ) ) - if params.get( 'edit_toolbox_filter_button', False ): tool_filters = list() section_filters = list() @@ -1291,13 +1284,13 @@ label_filters.append( name[2:] ) elif name.startswith('s_'): section_filters.append( name[2:] ) - user.preferences['toolbox_tool_filters'] = ','.join( tool_filters ) - user.preferences['toolbox_section_filters'] = ','.join( section_filters ) - user.preferences['toolbox_label_filters'] = ','.join( label_filters ) + trans.user.preferences['toolbox_tool_filters'] = ','.join( validate( tool_filters, 'tool' ) ) + trans.user.preferences['toolbox_section_filters'] = ','.join( validate( section_filters, 'section' ) ) + trans.user.preferences['toolbox_label_filters'] = ','.join( validate( label_filters, 'label' ) ) - trans.sa_session.add( user ) + trans.sa_session.add( trans.user ) trans.sa_session.flush() - message = 'ToolBox filters has been updated.' + message = 'ToolBox filters have been updated.' kwd = dict( message=message, status='done' ) # Display the ToolBox filters form with the current values filled in diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/dbkeys.mako --- a/templates/user/dbkeys.mako +++ b/templates/user/dbkeys.mako @@ -148,7 +148,7 @@ Processing % endif </td> - <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key}" /><input type="submit" name="delete" value="Delete" /></form></td> + <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key | h}" /><input type="submit" name="delete" value="Delete" /></form></td></tr> % endfor </table> @@ -194,7 +194,7 @@ <div style="clear: both; padding-bottom: 0.5em"></div><select id="fasta_input" name="dataset_id"> %for dataset in fasta_hdas: - <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid}: ${dataset.name}</option> + <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid | h}: ${dataset.name | h}</option> %endfor </select><input type="file" id="len_file_input" name="len_file" /></input> diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/openid_associate.mako --- a/templates/user/openid_associate.mako +++ b/templates/user/openid_associate.mako @@ -48,13 +48,13 @@ The following OpenIDs will be associated with the account chosen or created below. <ul> %for openid in openids: - <li>${openid.openid}</li> + <li>${openid.openid | h}</li> %endfor </ul></div> %else: <div> - The OpenID <strong>${openids[0].openid}</strong> will be associated with the account chosen or created. + The OpenID <strong>${openids[0].openid | h}</strong> will be associated with the account chosen or created. </div> %endif <br/> diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/toolbox_filters.mako --- a/templates/user/toolbox_filters.mako +++ b/templates/user/toolbox_filters.mako @@ -15,7 +15,7 @@ %if tool_filters or section_filters or label_filters: <div class="toolForm"> - <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller, user_id=trans.security.encode_id( user.id ) )}" method="post" > + <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller )}" method="post" > % if tool_filters: <div class="toolFormTitle">Edit ToolBox filters :: Tools</div><div class="toolFormBody"> @@ -87,5 +87,5 @@ </form></div> %else: - ${render_msg( 'No filter available. Contact you system administrator or check your configuration file.', 'info' )} + ${render_msg( 'No filters available. Contact your system administrator or check your configuration file.', 'info' )} %endif diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/username.mako --- a/templates/user/username.mako +++ b/templates/user/username.mako @@ -1,4 +1,9 @@ <%inherit file="/base.mako"/> +<%namespace file="/message.mako" import="render_msg" /> + +%if message: + ${render_msg( message, status )} +%endif <% is_admin = cntrller == 'admin' and trans.user_is_admin() %> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 3 new changesets
by commits-noreply＠bitbucket.org 05 Dec '14

05 Dec '14

3 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/98ed01f41e80/ Changeset: 98ed01f41e80 Branch: stable User: natefoo Date: 2014-12-03 17:23:01+00:00 Summary: Validate that toolbox filters specified by the user have been configured by the administrator. Affected #: 3 files diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 98ed01f41e8005d7165a78db25ccab3e0bbe2291 lib/galaxy/tools/filters/__init__.py --- a/lib/galaxy/tools/filters/__init__.py +++ b/lib/galaxy/tools/filters/__init__.py @@ -1,6 +1,10 @@ +import logging from galaxy.util import listify from copy import deepcopy +log = logging.getLogger( __name__ ) + + class FilterFactory( object ): """ An instance of this class is responsible for filtering the list @@ -37,17 +41,21 @@ elif name == 'toolbox_label_filters': category = "label" if category: - self.__init_filters( category, user_filters, filters ) + validate = getattr( trans.app.config, 'user_%s_filters' % category, [] ) + self.__init_filters( category, user_filters, filters, validate=validate ) else: if kwds.get( "trackster", False ): filters[ "tool" ].append( _has_trackster_conf ) return filters - def __init_filters( self, key, filters, toolbox_filters ): + def __init_filters( self, key, filters, toolbox_filters, validate=None ): for filter in filters: - filter_function = self.__build_filter_function( filter ) - toolbox_filters[ key ].append( filter_function ) + if validate is None or filter in validate or filter in self.default_filters: + filter_function = self.__build_filter_function( filter ) + toolbox_filters[ key ].append( filter_function ) + else: + log.warning( "Refusing to load %s filter '%s' which is not defined in config", key, filter ) return toolbox_filters def __build_filter_function( self, filter_name ): diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 98ed01f41e8005d7165a78db25ccab3e0bbe2291 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -1228,57 +1228,48 @@ filters.append( dict( filterpath=filter_name, short_desc=sdesc, desc=description, checked=False ) ) return filters - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + saved_user_tool_filters = list() + saved_user_section_filters = list() + saved_user_label_filters = list() - user_id = params.get( 'user_id', False ) - if user_id: - user = trans.sa_session.query( trans.app.model.User ).get( trans.security.decode_id( user_id ) ) - else: - user = trans.user + for name, value in trans.user.preferences.items(): + if name == 'toolbox_tool_filters': + saved_user_tool_filters = listify( value, do_strip=True ) + elif name == 'toolbox_section_filters': + saved_user_section_filters = listify( value, do_strip=True ) + elif name == 'toolbox_label_filters': + saved_user_label_filters = listify( value, do_strip=True ) - if user: - saved_user_tool_filters = list() - saved_user_section_filters = list() - saved_user_label_filters = list() + tool_filters = get_filter_mapping( saved_user_tool_filters, trans.app.config.user_tool_filters ) + section_filters = get_filter_mapping( saved_user_section_filters, trans.app.config.user_section_filters ) + label_filters = get_filter_mapping( saved_user_label_filters, trans.app.config.user_label_filters ) - for name, value in user.preferences.items(): - if name == 'toolbox_tool_filters': - saved_user_tool_filters = listify( value, do_strip=True ) - elif name == 'toolbox_section_filters': - saved_user_section_filters = listify( value, do_strip=True ) - elif name == 'toolbox_label_filters': - saved_user_label_filters = listify( value, do_strip=True ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) + status = util.restore_text( kwd.get( 'status', 'done' ) ) - tool_filters = get_filter_mapping( saved_user_tool_filters, trans.app.config.user_tool_filters ) - section_filters = get_filter_mapping( saved_user_section_filters, trans.app.config.user_section_filters ) - label_filters = get_filter_mapping( saved_user_label_filters, trans.app.config.user_label_filters ) - - return trans.fill_template( 'user/toolbox_filters.mako', - cntrller=cntrller, - message=message, - tool_filters=tool_filters, - section_filters=section_filters, - label_filters=label_filters, - user=user, - status=status ) - else: - # User not logged in, history group must be only public - return trans.show_error_message( "You must be logged in to change private toolbox filters." ) + return trans.fill_template( 'user/toolbox_filters.mako', + cntrller=cntrller, + message=message, + tool_filters=tool_filters, + section_filters=section_filters, + label_filters=label_filters, + user=trans.user, + status=status) @web.expose @web.require_login( "to change the private toolbox filters" ) def edit_toolbox_filters( self, trans, cntrller, **kwd ): + def validate( user_filters, filter_type ): + rval = [] + config_filters = getattr( trans.app.config, 'user_%s_filters' % filter_type, [] ) + for f in user_filters: + if f not in config_filters: + log.warning( 'User provided filter %s which is not in user_%s_filters', f, filter_type ) + else: + rval.append( f ) + return rval + params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - user_id = params.get( 'user_id', False ) - if not user_id: - # User must be logged in to create a new address - return trans.show_error_message( "You must be logged in to change the ToolBox filters." ) - - user = trans.sa_session.query( trans.app.model.User ).get( trans.security.decode_id( user_id ) ) - if params.get( 'edit_toolbox_filter_button', False ): tool_filters = list() section_filters = list() @@ -1291,13 +1282,13 @@ label_filters.append( name[2:] ) elif name.startswith('s_'): section_filters.append( name[2:] ) - user.preferences['toolbox_tool_filters'] = ','.join( tool_filters ) - user.preferences['toolbox_section_filters'] = ','.join( section_filters ) - user.preferences['toolbox_label_filters'] = ','.join( label_filters ) + trans.user.preferences['toolbox_tool_filters'] = ','.join( validate( tool_filters, 'tool' ) ) + trans.user.preferences['toolbox_section_filters'] = ','.join( validate( section_filters, 'section' ) ) + trans.user.preferences['toolbox_label_filters'] = ','.join( validate( label_filters, 'label' ) ) - trans.sa_session.add( user ) + trans.sa_session.add( trans.user ) trans.sa_session.flush() - message = 'ToolBox filters has been updated.' + message = 'ToolBox filters have been updated.' kwd = dict( message=message, status='done' ) # Display the ToolBox filters form with the current values filled in diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 98ed01f41e8005d7165a78db25ccab3e0bbe2291 templates/user/toolbox_filters.mako --- a/templates/user/toolbox_filters.mako +++ b/templates/user/toolbox_filters.mako @@ -15,7 +15,7 @@ %if tool_filters or section_filters or label_filters: <div class="toolForm"> - <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller, user_id=trans.security.encode_id( user.id ) )}" method="post" > + <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller )}" method="post" > % if tool_filters: <div class="toolFormTitle">Edit ToolBox filters :: Tools</div><div class="toolFormBody"> @@ -87,5 +87,5 @@ </form></div> %else: - ${render_msg( 'No filter available. Contact you system administrator or check your configuration file.', 'info' )} + ${render_msg( 'No filters available. Contact your system administrator or check your configuration file.', 'info' )} %endif https://bitbucket.org/galaxy/galaxy-central/commits/c0e27e99def9/ Changeset: c0e27e99def9 Branch: stable User: natefoo Date: 2014-12-03 20:57:58+00:00 Summary: Remaining user function template XSS cleanup. Also fix login redirection security in the OpenID methods. Affected #: 4 files diff -r 98ed01f41e8005d7165a78db25ccab3e0bbe2291 -r c0e27e99def95496603c9c63aee17ac48203de50 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -295,7 +295,7 @@ message=message, status='info' ) ) if redirect: - return trans.response.send_redirect( redirect ) + return trans.response.send_redirect( self.__get_redirect_url( redirect ) ) return trans.response.send_redirect( url_for( controller='user', action='openid_manage', use_panels=use_panels, @@ -347,7 +347,7 @@ message=message, status='info' ) ) if redirect: - return trans.response.send_redirect( redirect ) + return trans.response.send_redirect( self.__get_redirect_url( redirect ) ) return trans.response.send_redirect( url_for( controller='user', action='openid_manage', use_panels=use_panels, @@ -453,7 +453,7 @@ redirect = self.__get_redirect_url( kwd.get( 'redirect', trans.request.referer ).strip() ) redirect_url = '' # always start with redirect_url being empty use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) header = '' user = trans.user @@ -606,7 +606,7 @@ refresh_frames = [ 'masthead' ] trans.handle_user_logout( logout_all=logout_all ) message = 'You have been logged out.<br>You can log in again, <a target="_top" href="%s">go back to the page you were visiting</a> or <a target="_top" href="%s">go to the home page</a>.' % \ - ( trans.request.referer, url_for( '/' ) ) + ( escape( trans.request.referer ), url_for( '/' ) ) if biostar.biostar_logged_in( trans ): biostar_url = biostar.biostar_logout( trans ) if biostar_url: @@ -629,7 +629,7 @@ if honeypot_field != '': return trans.show_error_message( "You've been flagged as a possible bot. If you are not, please try registering again and fill the form out carefully. <a target=\"_top\" href=\"%s\">Go to the home page</a>." ) % url_for( '/' ) - message = util.restore_text( params.get( 'message', '' ) ) + message = escape( util.restore_text( params.get( 'message', '' ) ) ) status = params.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', True ) ) email = util.restore_text( params.get( 'email', '' ) ) @@ -659,9 +659,11 @@ # Create the user, save all the user info and login to Galaxy if params.get( 'create_user_button', False ): # Check email and password validity + # Note: message does not need to be escaped (it is clean) message = self.__validate( trans, params, email, password, confirm, username ) if not message: # All the values are valid + # message does not need to be escaped here either message, status, user, success = self.__register( trans, cntrller, subscribe_checked, @@ -675,7 +677,7 @@ trans.log_event( "User created a new account" ) trans.log_event( "User logged in" ) if success and is_admin: - message = 'Created new user account (%s)' % user.email + message = 'Created new user account (%s)' % escape( user.email ) trans.response.send_redirect( web.url_for( controller='admin', action='users', cntrller=cntrller, @@ -743,7 +745,7 @@ if subscribe_checked: # subscribe user to email list if trans.app.config.smtp_server is None: - error = "Now logged in as " + user.email + ". However, subscribing to the mailing list has failed because mail is not configured for this Galaxy instance. <br>Please contact your local Galaxy administrator." + error = "Now logged in as " + escape( user.email ) + ". However, subscribing to the mailing list has failed because mail is not configured for this Galaxy instance. <br>Please contact your local Galaxy administrator." else: body = 'Join Mailing list.\n' to = trans.app.config.mailing_join_addr @@ -752,7 +754,7 @@ try: util.send_mail( frm, to, subject, body, trans.app.config ) except: - error = "Now logged in as " + user.email + ". However, subscribing to the mailing list has failed." + error = "Now logged in as " + escape( user.email ) + ". However, subscribing to the mailing list has failed." if not error and not is_admin: # The handle_user_login() method has a call to the history_set_default_permissions() method # (needed when logging in with a history), user needs to have default permissions set before logging in @@ -762,7 +764,7 @@ elif not error: trans.response.send_redirect( web.url_for( controller='admin', action='users', - message='Created new user account (%s)' % user.email, + message='Created new user account (%s)' % escape( user.email ), status=status ) ) if error: message = error @@ -772,7 +774,7 @@ if trans.webapp.name == 'galaxy' and trans.app.config.user_activation_on: is_activation_sent = self.send_verification_email( trans, email, username ) if is_activation_sent: - message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True else: message = 'Unable to send activation email, please contact your local Galaxy administrator.' @@ -780,7 +782,7 @@ message += ' Contact: %s' % trans.app.config.error_email_to success = False else: # User activation is OFF, proceed without sending the activation email. - message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True return ( message, status, user, success ) @@ -970,7 +972,7 @@ user.username = username trans.sa_session.add( user ) trans.sa_session.flush() - message = 'The username has been updated with the changes.' + message = 'The username has been updated to: %s' % escape( username ) return trans.fill_template( '/user/username.mako', cntrller=cntrller, user=user, @@ -1177,7 +1179,7 @@ message = 'Default new history permissions have been changed.' return trans.fill_template( 'user/permissions.mako', cntrller=cntrller, - message=message, + message=escape( message ), status=status ) else: # User not logged in, history group must be only public diff -r 98ed01f41e8005d7165a78db25ccab3e0bbe2291 -r c0e27e99def95496603c9c63aee17ac48203de50 templates/user/dbkeys.mako --- a/templates/user/dbkeys.mako +++ b/templates/user/dbkeys.mako @@ -148,7 +148,7 @@ Processing % endif </td> - <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key}" /><input type="submit" name="delete" value="Delete" /></form></td> + <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key | h}" /><input type="submit" name="delete" value="Delete" /></form></td></tr> % endfor </table> @@ -194,7 +194,7 @@ <div style="clear: both; padding-bottom: 0.5em"></div><select id="fasta_input" name="dataset_id"> %for dataset in fasta_hdas: - <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid}: ${dataset.name}</option> + <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid | h}: ${dataset.name | h}</option> %endfor </select><input type="file" id="len_file_input" name="len_file" /></input> diff -r 98ed01f41e8005d7165a78db25ccab3e0bbe2291 -r c0e27e99def95496603c9c63aee17ac48203de50 templates/user/openid_associate.mako --- a/templates/user/openid_associate.mako +++ b/templates/user/openid_associate.mako @@ -48,13 +48,13 @@ The following OpenIDs will be associated with the account chosen or created below. <ul> %for openid in openids: - <li>${openid.openid}</li> + <li>${openid.openid | h}</li> %endfor </ul></div> %else: <div> - The OpenID <strong>${openids[0].openid}</strong> will be associated with the account chosen or created. + The OpenID <strong>${openids[0].openid | h}</strong> will be associated with the account chosen or created. </div> %endif <br/> diff -r 98ed01f41e8005d7165a78db25ccab3e0bbe2291 -r c0e27e99def95496603c9c63aee17ac48203de50 templates/user/username.mako --- a/templates/user/username.mako +++ b/templates/user/username.mako @@ -1,4 +1,9 @@ <%inherit file="/base.mako"/> +<%namespace file="/message.mako" import="render_msg" /> + +%if message: + ${render_msg( message, status )} +%endif <% is_admin = cntrller == 'admin' and trans.user_is_admin() %> https://bitbucket.org/galaxy/galaxy-central/commits/f76fb3c40d55/ Changeset: f76fb3c40d55 Branch: stable User: martenson Date: 2014-12-05 16:54:22+00:00 Summary: Merged in natefoo/galaxy-central/stable (pull request #588) [STABLE] XSS fixes for remaining user templates and a few other security fixes Affected #: 6 files diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 lib/galaxy/tools/filters/__init__.py --- a/lib/galaxy/tools/filters/__init__.py +++ b/lib/galaxy/tools/filters/__init__.py @@ -1,6 +1,10 @@ +import logging from galaxy.util import listify from copy import deepcopy +log = logging.getLogger( __name__ ) + + class FilterFactory( object ): """ An instance of this class is responsible for filtering the list @@ -37,17 +41,21 @@ elif name == 'toolbox_label_filters': category = "label" if category: - self.__init_filters( category, user_filters, filters ) + validate = getattr( trans.app.config, 'user_%s_filters' % category, [] ) + self.__init_filters( category, user_filters, filters, validate=validate ) else: if kwds.get( "trackster", False ): filters[ "tool" ].append( _has_trackster_conf ) return filters - def __init_filters( self, key, filters, toolbox_filters ): + def __init_filters( self, key, filters, toolbox_filters, validate=None ): for filter in filters: - filter_function = self.__build_filter_function( filter ) - toolbox_filters[ key ].append( filter_function ) + if validate is None or filter in validate or filter in self.default_filters: + filter_function = self.__build_filter_function( filter ) + toolbox_filters[ key ].append( filter_function ) + else: + log.warning( "Refusing to load %s filter '%s' which is not defined in config", key, filter ) return toolbox_filters def __build_filter_function( self, filter_name ): diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -295,7 +295,7 @@ message=message, status='info' ) ) if redirect: - return trans.response.send_redirect( redirect ) + return trans.response.send_redirect( self.__get_redirect_url( redirect ) ) return trans.response.send_redirect( url_for( controller='user', action='openid_manage', use_panels=use_panels, @@ -347,7 +347,7 @@ message=message, status='info' ) ) if redirect: - return trans.response.send_redirect( redirect ) + return trans.response.send_redirect( self.__get_redirect_url( redirect ) ) return trans.response.send_redirect( url_for( controller='user', action='openid_manage', use_panels=use_panels, @@ -453,7 +453,7 @@ redirect = self.__get_redirect_url( kwd.get( 'redirect', trans.request.referer ).strip() ) redirect_url = '' # always start with redirect_url being empty use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) header = '' user = trans.user @@ -606,7 +606,7 @@ refresh_frames = [ 'masthead' ] trans.handle_user_logout( logout_all=logout_all ) message = 'You have been logged out.<br>You can log in again, <a target="_top" href="%s">go back to the page you were visiting</a> or <a target="_top" href="%s">go to the home page</a>.' % \ - ( trans.request.referer, url_for( '/' ) ) + ( escape( trans.request.referer ), url_for( '/' ) ) if biostar.biostar_logged_in( trans ): biostar_url = biostar.biostar_logout( trans ) if biostar_url: @@ -629,7 +629,7 @@ if honeypot_field != '': return trans.show_error_message( "You've been flagged as a possible bot. If you are not, please try registering again and fill the form out carefully. <a target=\"_top\" href=\"%s\">Go to the home page</a>." ) % url_for( '/' ) - message = util.restore_text( params.get( 'message', '' ) ) + message = escape( util.restore_text( params.get( 'message', '' ) ) ) status = params.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', True ) ) email = util.restore_text( params.get( 'email', '' ) ) @@ -659,9 +659,11 @@ # Create the user, save all the user info and login to Galaxy if params.get( 'create_user_button', False ): # Check email and password validity + # Note: message does not need to be escaped (it is clean) message = self.__validate( trans, params, email, password, confirm, username ) if not message: # All the values are valid + # message does not need to be escaped here either message, status, user, success = self.__register( trans, cntrller, subscribe_checked, @@ -675,7 +677,7 @@ trans.log_event( "User created a new account" ) trans.log_event( "User logged in" ) if success and is_admin: - message = 'Created new user account (%s)' % user.email + message = 'Created new user account (%s)' % escape( user.email ) trans.response.send_redirect( web.url_for( controller='admin', action='users', cntrller=cntrller, @@ -743,7 +745,7 @@ if subscribe_checked: # subscribe user to email list if trans.app.config.smtp_server is None: - error = "Now logged in as " + user.email + ". However, subscribing to the mailing list has failed because mail is not configured for this Galaxy instance. <br>Please contact your local Galaxy administrator." + error = "Now logged in as " + escape( user.email ) + ". However, subscribing to the mailing list has failed because mail is not configured for this Galaxy instance. <br>Please contact your local Galaxy administrator." else: body = 'Join Mailing list.\n' to = trans.app.config.mailing_join_addr @@ -752,7 +754,7 @@ try: util.send_mail( frm, to, subject, body, trans.app.config ) except: - error = "Now logged in as " + user.email + ". However, subscribing to the mailing list has failed." + error = "Now logged in as " + escape( user.email ) + ". However, subscribing to the mailing list has failed." if not error and not is_admin: # The handle_user_login() method has a call to the history_set_default_permissions() method # (needed when logging in with a history), user needs to have default permissions set before logging in @@ -762,7 +764,7 @@ elif not error: trans.response.send_redirect( web.url_for( controller='admin', action='users', - message='Created new user account (%s)' % user.email, + message='Created new user account (%s)' % escape( user.email ), status=status ) ) if error: message = error @@ -772,7 +774,7 @@ if trans.webapp.name == 'galaxy' and trans.app.config.user_activation_on: is_activation_sent = self.send_verification_email( trans, email, username ) if is_activation_sent: - message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True else: message = 'Unable to send activation email, please contact your local Galaxy administrator.' @@ -780,7 +782,7 @@ message += ' Contact: %s' % trans.app.config.error_email_to success = False else: # User activation is OFF, proceed without sending the activation email. - message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True return ( message, status, user, success ) @@ -970,7 +972,7 @@ user.username = username trans.sa_session.add( user ) trans.sa_session.flush() - message = 'The username has been updated with the changes.' + message = 'The username has been updated to: %s' % escape( username ) return trans.fill_template( '/user/username.mako', cntrller=cntrller, user=user, @@ -1177,7 +1179,7 @@ message = 'Default new history permissions have been changed.' return trans.fill_template( 'user/permissions.mako', cntrller=cntrller, - message=message, + message=escape( message ), status=status ) else: # User not logged in, history group must be only public @@ -1228,57 +1230,48 @@ filters.append( dict( filterpath=filter_name, short_desc=sdesc, desc=description, checked=False ) ) return filters - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + saved_user_tool_filters = list() + saved_user_section_filters = list() + saved_user_label_filters = list() - user_id = params.get( 'user_id', False ) - if user_id: - user = trans.sa_session.query( trans.app.model.User ).get( trans.security.decode_id( user_id ) ) - else: - user = trans.user + for name, value in trans.user.preferences.items(): + if name == 'toolbox_tool_filters': + saved_user_tool_filters = listify( value, do_strip=True ) + elif name == 'toolbox_section_filters': + saved_user_section_filters = listify( value, do_strip=True ) + elif name == 'toolbox_label_filters': + saved_user_label_filters = listify( value, do_strip=True ) - if user: - saved_user_tool_filters = list() - saved_user_section_filters = list() - saved_user_label_filters = list() + tool_filters = get_filter_mapping( saved_user_tool_filters, trans.app.config.user_tool_filters ) + section_filters = get_filter_mapping( saved_user_section_filters, trans.app.config.user_section_filters ) + label_filters = get_filter_mapping( saved_user_label_filters, trans.app.config.user_label_filters ) - for name, value in user.preferences.items(): - if name == 'toolbox_tool_filters': - saved_user_tool_filters = listify( value, do_strip=True ) - elif name == 'toolbox_section_filters': - saved_user_section_filters = listify( value, do_strip=True ) - elif name == 'toolbox_label_filters': - saved_user_label_filters = listify( value, do_strip=True ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) + status = util.restore_text( kwd.get( 'status', 'done' ) ) - tool_filters = get_filter_mapping( saved_user_tool_filters, trans.app.config.user_tool_filters ) - section_filters = get_filter_mapping( saved_user_section_filters, trans.app.config.user_section_filters ) - label_filters = get_filter_mapping( saved_user_label_filters, trans.app.config.user_label_filters ) - - return trans.fill_template( 'user/toolbox_filters.mako', - cntrller=cntrller, - message=message, - tool_filters=tool_filters, - section_filters=section_filters, - label_filters=label_filters, - user=user, - status=status ) - else: - # User not logged in, history group must be only public - return trans.show_error_message( "You must be logged in to change private toolbox filters." ) + return trans.fill_template( 'user/toolbox_filters.mako', + cntrller=cntrller, + message=message, + tool_filters=tool_filters, + section_filters=section_filters, + label_filters=label_filters, + user=trans.user, + status=status) @web.expose @web.require_login( "to change the private toolbox filters" ) def edit_toolbox_filters( self, trans, cntrller, **kwd ): + def validate( user_filters, filter_type ): + rval = [] + config_filters = getattr( trans.app.config, 'user_%s_filters' % filter_type, [] ) + for f in user_filters: + if f not in config_filters: + log.warning( 'User provided filter %s which is not in user_%s_filters', f, filter_type ) + else: + rval.append( f ) + return rval + params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - user_id = params.get( 'user_id', False ) - if not user_id: - # User must be logged in to create a new address - return trans.show_error_message( "You must be logged in to change the ToolBox filters." ) - - user = trans.sa_session.query( trans.app.model.User ).get( trans.security.decode_id( user_id ) ) - if params.get( 'edit_toolbox_filter_button', False ): tool_filters = list() section_filters = list() @@ -1291,13 +1284,13 @@ label_filters.append( name[2:] ) elif name.startswith('s_'): section_filters.append( name[2:] ) - user.preferences['toolbox_tool_filters'] = ','.join( tool_filters ) - user.preferences['toolbox_section_filters'] = ','.join( section_filters ) - user.preferences['toolbox_label_filters'] = ','.join( label_filters ) + trans.user.preferences['toolbox_tool_filters'] = ','.join( validate( tool_filters, 'tool' ) ) + trans.user.preferences['toolbox_section_filters'] = ','.join( validate( section_filters, 'section' ) ) + trans.user.preferences['toolbox_label_filters'] = ','.join( validate( label_filters, 'label' ) ) - trans.sa_session.add( user ) + trans.sa_session.add( trans.user ) trans.sa_session.flush() - message = 'ToolBox filters has been updated.' + message = 'ToolBox filters have been updated.' kwd = dict( message=message, status='done' ) # Display the ToolBox filters form with the current values filled in diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/dbkeys.mako --- a/templates/user/dbkeys.mako +++ b/templates/user/dbkeys.mako @@ -148,7 +148,7 @@ Processing % endif </td> - <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key}" /><input type="submit" name="delete" value="Delete" /></form></td> + <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key | h}" /><input type="submit" name="delete" value="Delete" /></form></td></tr> % endfor </table> @@ -194,7 +194,7 @@ <div style="clear: both; padding-bottom: 0.5em"></div><select id="fasta_input" name="dataset_id"> %for dataset in fasta_hdas: - <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid}: ${dataset.name}</option> + <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid | h}: ${dataset.name | h}</option> %endfor </select><input type="file" id="len_file_input" name="len_file" /></input> diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/openid_associate.mako --- a/templates/user/openid_associate.mako +++ b/templates/user/openid_associate.mako @@ -48,13 +48,13 @@ The following OpenIDs will be associated with the account chosen or created below. <ul> %for openid in openids: - <li>${openid.openid}</li> + <li>${openid.openid | h}</li> %endfor </ul></div> %else: <div> - The OpenID <strong>${openids[0].openid}</strong> will be associated with the account chosen or created. + The OpenID <strong>${openids[0].openid | h}</strong> will be associated with the account chosen or created. </div> %endif <br/> diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/toolbox_filters.mako --- a/templates/user/toolbox_filters.mako +++ b/templates/user/toolbox_filters.mako @@ -15,7 +15,7 @@ %if tool_filters or section_filters or label_filters: <div class="toolForm"> - <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller, user_id=trans.security.encode_id( user.id ) )}" method="post" > + <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller )}" method="post" > % if tool_filters: <div class="toolFormTitle">Edit ToolBox filters :: Tools</div><div class="toolFormBody"> @@ -87,5 +87,5 @@ </form></div> %else: - ${render_msg( 'No filter available. Contact you system administrator or check your configuration file.', 'info' )} + ${render_msg( 'No filters available. Contact your system administrator or check your configuration file.', 'info' )} %endif diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/username.mako --- a/templates/user/username.mako +++ b/templates/user/username.mako @@ -1,4 +1,9 @@ <%inherit file="/base.mako"/> +<%namespace file="/message.mako" import="render_msg" /> + +%if message: + ${render_msg( message, status )} +%endif <% is_admin = cntrller == 'admin' and trans.user_is_admin() %> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: martenson: Merged in dan/galaxy-central-prs/stable (pull request #593)
by commits-noreply＠bitbucket.org 05 Dec '14

05 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/de92a7b85033/ Changeset: de92a7b85033 Branch: stable User: martenson Date: 2014-12-05 16:49:14+00:00 Summary: Merged in dan/galaxy-central-prs/stable (pull request #593) [STABLE] Some web sanitization for Data Managers and Biostar redirect. Affected #: 4 files diff -r 295fd99b1d578e4d58af673259b95e703750f757 -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 lib/galaxy/webapps/galaxy/controllers/data_manager.py --- a/lib/galaxy/webapps/galaxy/controllers/data_manager.py +++ b/lib/galaxy/webapps/galaxy/controllers/data_manager.py @@ -7,6 +7,8 @@ pkg_resources.require( "Paste" ) import paste.httpexceptions +from galaxy.web.framework.helpers import escape + #set up logger import logging log = logging.getLogger( __name__ ) @@ -18,8 +20,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) return trans.fill_template( "data_manager/index.mako", data_managers=trans.app.data_managers, tool_data_tables=trans.app.tool_data_tables, view_only=not_is_admin, message=message, status=status ) @web.expose @@ -27,8 +29,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_manager_id = kwd.get( 'id', None ) data_manager = trans.app.data_managers.get_manager( data_manager_id ) if data_manager is None: @@ -41,8 +43,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) job_id = kwd.get( 'id', None ) try: job_id = trans.security.decode_id( job_id ) @@ -62,7 +64,7 @@ data_manager_json = loads( open( hda.get_file_name() ).read() ) except Exception, e: data_manager_json = {} - error_messages.append( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) + error_messages.append( escape( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) ) values = [] for key, value in data_manager_json.get( 'data_tables', {} ).iteritems(): values.append( ( key, value ) ) @@ -74,8 +76,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_table_name = kwd.get( 'table_name', None ) if not data_table_name: return trans.response.send_redirect( web.url_for( controller="data_manager", action="index" ) ) diff -r 295fd99b1d578e4d58af673259b95e703750f757 -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 templates/webapps/galaxy/biostar/post_redirect.mako --- a/templates/webapps/galaxy/biostar/post_redirect.mako +++ b/templates/webapps/galaxy/biostar/post_redirect.mako @@ -18,7 +18,7 @@ <p>If you are not automatically forwarded, click the button below:<p><form id="postRedirectForm" action="${post_url}" method="post" > %for input_name, input_value in form_inputs.items(): - <input type="hidden" name="${input_name}" value="${input_value | h}"> + <input type="hidden" name="${input_name | h}" value="${input_value | h}"> %endfor <input type="submit" name="GalaxySubmitPostRedirectForm" id='GalaxySubmitPostRedirectForm' value="Click Here"></form> diff -r 295fd99b1d578e4d58af673259b95e703750f757 -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 templates/webapps/galaxy/data_manager/manage_data_table.mako --- a/templates/webapps/galaxy/data_manager/manage_data_table.mako +++ b/templates/webapps/galaxy/data_manager/manage_data_table.mako @@ -14,9 +14,9 @@ <% column_name_list = data_table.get_column_name_list() %><table class="tabletip"><thead> - <tr><th colspan="${len (column_name_list) }" style="font-size: 120%;"> + <tr><th colspan="${ len( column_name_list ) | h}" style="font-size: 120%;"> Data Manager: ${ data_table.name | h } - <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name} tool data table" data-placement="bottom"> + <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name | h} tool data table" data-placement="bottom"><span class="fa fa-refresh"></span></a></th></tr> diff -r 295fd99b1d578e4d58af673259b95e703750f757 -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 templates/webapps/galaxy/data_manager/view_job.mako --- a/templates/webapps/galaxy/data_manager/view_job.mako +++ b/templates/webapps/galaxy/data_manager/view_job.mako @@ -26,8 +26,8 @@ </thead><tbody><tr><td>Name:</td><td>${hda.name | h}</td></tr> - <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format)}</td></tr> - <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size)}</td></tr> + <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format) | h}</td></tr> + <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size) | h}</td></tr><tr><td>Tool Exit Code:</td><td>${job.exit_code | h}</td></tr><tr><td>Full Path:</td><td>${hda.file_name | h}</td></tr><tr><td>View complete info:</td><td><a href="${h.url_for( controller='dataset', action='show_params', dataset_id=trans.security.encode_id( hda.id ))}">${ hda.id | h }</a></td></tr> @@ -47,7 +47,7 @@ %for j, table_row in enumerate( json_table ): <tbody> %if len_json_table > 1: - <tr><td><strong>Entry #${j}</strong></td><td></td></tr> + <tr><td><strong>Entry #${j | h}</strong></td><td></td></tr> %endif %for name, value in table_row.iteritems(): <tr><td>${name | h}:</td><td>${value | h}</td></tr> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 2 new changesets
by commits-noreply＠bitbucket.org 05 Dec '14

05 Dec '14

2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/ed67b05dc040/ Changeset: ed67b05dc040 Branch: stable User: dan Date: 2014-12-04 21:14:28+00:00 Summary: Some web sanitization for Data Managers and Biostar redirect. Affected #: 4 files diff -r 9c482e1d9b3cfdb2936b3f230d434c1f27898eff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 lib/galaxy/webapps/galaxy/controllers/data_manager.py --- a/lib/galaxy/webapps/galaxy/controllers/data_manager.py +++ b/lib/galaxy/webapps/galaxy/controllers/data_manager.py @@ -7,6 +7,8 @@ pkg_resources.require( "Paste" ) import paste.httpexceptions +from galaxy.web.framework.helpers import escape + #set up logger import logging log = logging.getLogger( __name__ ) @@ -18,8 +20,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) return trans.fill_template( "data_manager/index.mako", data_managers=trans.app.data_managers, tool_data_tables=trans.app.tool_data_tables, view_only=not_is_admin, message=message, status=status ) @web.expose @@ -27,8 +29,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_manager_id = kwd.get( 'id', None ) data_manager = trans.app.data_managers.get_manager( data_manager_id ) if data_manager is None: @@ -41,8 +43,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) job_id = kwd.get( 'id', None ) try: job_id = trans.security.decode_id( job_id ) @@ -62,7 +64,7 @@ data_manager_json = loads( open( hda.get_file_name() ).read() ) except Exception, e: data_manager_json = {} - error_messages.append( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) + error_messages.append( escape( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) ) values = [] for key, value in data_manager_json.get( 'data_tables', {} ).iteritems(): values.append( ( key, value ) ) @@ -74,8 +76,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_table_name = kwd.get( 'table_name', None ) if not data_table_name: return trans.response.send_redirect( web.url_for( controller="data_manager", action="index" ) ) diff -r 9c482e1d9b3cfdb2936b3f230d434c1f27898eff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 templates/webapps/galaxy/biostar/post_redirect.mako --- a/templates/webapps/galaxy/biostar/post_redirect.mako +++ b/templates/webapps/galaxy/biostar/post_redirect.mako @@ -18,7 +18,7 @@ <p>If you are not automatically forwarded, click the button below:<p><form id="postRedirectForm" action="${post_url}" method="post" > %for input_name, input_value in form_inputs.items(): - <input type="hidden" name="${input_name}" value="${input_value | h}"> + <input type="hidden" name="${input_name | h}" value="${input_value | h}"> %endfor <input type="submit" name="GalaxySubmitPostRedirectForm" id='GalaxySubmitPostRedirectForm' value="Click Here"></form> diff -r 9c482e1d9b3cfdb2936b3f230d434c1f27898eff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 templates/webapps/galaxy/data_manager/manage_data_table.mako --- a/templates/webapps/galaxy/data_manager/manage_data_table.mako +++ b/templates/webapps/galaxy/data_manager/manage_data_table.mako @@ -14,9 +14,9 @@ <% column_name_list = data_table.get_column_name_list() %><table class="tabletip"><thead> - <tr><th colspan="${len (column_name_list) }" style="font-size: 120%;"> + <tr><th colspan="${ len( column_name_list ) | h}" style="font-size: 120%;"> Data Manager: ${ data_table.name | h } - <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name} tool data table" data-placement="bottom"> + <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name | h} tool data table" data-placement="bottom"><span class="fa fa-refresh"></span></a></th></tr> diff -r 9c482e1d9b3cfdb2936b3f230d434c1f27898eff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 templates/webapps/galaxy/data_manager/view_job.mako --- a/templates/webapps/galaxy/data_manager/view_job.mako +++ b/templates/webapps/galaxy/data_manager/view_job.mako @@ -26,8 +26,8 @@ </thead><tbody><tr><td>Name:</td><td>${hda.name | h}</td></tr> - <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format)}</td></tr> - <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size)}</td></tr> + <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format) | h}</td></tr> + <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size) | h}</td></tr><tr><td>Tool Exit Code:</td><td>${job.exit_code | h}</td></tr><tr><td>Full Path:</td><td>${hda.file_name | h}</td></tr><tr><td>View complete info:</td><td><a href="${h.url_for( controller='dataset', action='show_params', dataset_id=trans.security.encode_id( hda.id ))}">${ hda.id | h }</a></td></tr> @@ -47,7 +47,7 @@ %for j, table_row in enumerate( json_table ): <tbody> %if len_json_table > 1: - <tr><td><strong>Entry #${j}</strong></td><td></td></tr> + <tr><td><strong>Entry #${j | h}</strong></td><td></td></tr> %endif %for name, value in table_row.iteritems(): <tr><td>${name | h}:</td><td>${value | h}</td></tr> https://bitbucket.org/galaxy/galaxy-central/commits/de92a7b85033/ Changeset: de92a7b85033 Branch: stable User: martenson Date: 2014-12-05 16:49:14+00:00 Summary: Merged in dan/galaxy-central-prs/stable (pull request #593) [STABLE] Some web sanitization for Data Managers and Biostar redirect. Affected #: 4 files diff -r 295fd99b1d578e4d58af673259b95e703750f757 -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 lib/galaxy/webapps/galaxy/controllers/data_manager.py --- a/lib/galaxy/webapps/galaxy/controllers/data_manager.py +++ b/lib/galaxy/webapps/galaxy/controllers/data_manager.py @@ -7,6 +7,8 @@ pkg_resources.require( "Paste" ) import paste.httpexceptions +from galaxy.web.framework.helpers import escape + #set up logger import logging log = logging.getLogger( __name__ ) @@ -18,8 +20,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) return trans.fill_template( "data_manager/index.mako", data_managers=trans.app.data_managers, tool_data_tables=trans.app.tool_data_tables, view_only=not_is_admin, message=message, status=status ) @web.expose @@ -27,8 +29,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_manager_id = kwd.get( 'id', None ) data_manager = trans.app.data_managers.get_manager( data_manager_id ) if data_manager is None: @@ -41,8 +43,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) job_id = kwd.get( 'id', None ) try: job_id = trans.security.decode_id( job_id ) @@ -62,7 +64,7 @@ data_manager_json = loads( open( hda.get_file_name() ).read() ) except Exception, e: data_manager_json = {} - error_messages.append( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) + error_messages.append( escape( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) ) values = [] for key, value in data_manager_json.get( 'data_tables', {} ).iteritems(): values.append( ( key, value ) ) @@ -74,8 +76,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_table_name = kwd.get( 'table_name', None ) if not data_table_name: return trans.response.send_redirect( web.url_for( controller="data_manager", action="index" ) ) diff -r 295fd99b1d578e4d58af673259b95e703750f757 -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 templates/webapps/galaxy/biostar/post_redirect.mako --- a/templates/webapps/galaxy/biostar/post_redirect.mako +++ b/templates/webapps/galaxy/biostar/post_redirect.mako @@ -18,7 +18,7 @@ <p>If you are not automatically forwarded, click the button below:<p><form id="postRedirectForm" action="${post_url}" method="post" > %for input_name, input_value in form_inputs.items(): - <input type="hidden" name="${input_name}" value="${input_value | h}"> + <input type="hidden" name="${input_name | h}" value="${input_value | h}"> %endfor <input type="submit" name="GalaxySubmitPostRedirectForm" id='GalaxySubmitPostRedirectForm' value="Click Here"></form> diff -r 295fd99b1d578e4d58af673259b95e703750f757 -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 templates/webapps/galaxy/data_manager/manage_data_table.mako --- a/templates/webapps/galaxy/data_manager/manage_data_table.mako +++ b/templates/webapps/galaxy/data_manager/manage_data_table.mako @@ -14,9 +14,9 @@ <% column_name_list = data_table.get_column_name_list() %><table class="tabletip"><thead> - <tr><th colspan="${len (column_name_list) }" style="font-size: 120%;"> + <tr><th colspan="${ len( column_name_list ) | h}" style="font-size: 120%;"> Data Manager: ${ data_table.name | h } - <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name} tool data table" data-placement="bottom"> + <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name | h} tool data table" data-placement="bottom"><span class="fa fa-refresh"></span></a></th></tr> diff -r 295fd99b1d578e4d58af673259b95e703750f757 -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 templates/webapps/galaxy/data_manager/view_job.mako --- a/templates/webapps/galaxy/data_manager/view_job.mako +++ b/templates/webapps/galaxy/data_manager/view_job.mako @@ -26,8 +26,8 @@ </thead><tbody><tr><td>Name:</td><td>${hda.name | h}</td></tr> - <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format)}</td></tr> - <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size)}</td></tr> + <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format) | h}</td></tr> + <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size) | h}</td></tr><tr><td>Tool Exit Code:</td><td>${job.exit_code | h}</td></tr><tr><td>Full Path:</td><td>${hda.file_name | h}</td></tr><tr><td>View complete info:</td><td><a href="${h.url_for( controller='dataset', action='show_params', dataset_id=trans.security.encode_id( hda.id ))}">${ hda.id | h }</a></td></tr> @@ -47,7 +47,7 @@ %for j, table_row in enumerate( json_table ): <tbody> %if len_json_table > 1: - <tr><td><strong>Entry #${j}</strong></td><td></td></tr> + <tr><td><strong>Entry #${j | h}</strong></td><td></td></tr> %endif %for name, value in table_row.iteritems(): <tr><td>${name | h}:</td><td>${value | h}</td></tr> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: jmchilton: Improvements to to yaml_to_workflow for Kyle.
by commits-noreply＠bitbucket.org 04 Dec '14

04 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/46a3d43d779f/ Changeset: 46a3d43d779f User: jmchilton Date: 2014-12-04 21:18:20+00:00 Summary: Improvements to to yaml_to_workflow for Kyle. Add UUID to workflows (his contribution) - add shortcuts for rename an hide actions with tests (his request, my implementation). Affected #: 4 files diff -r 7272cc7b9ea1fd64646fa6d7e6fb5924fd8618f8 -r 46a3d43d779fa7735029449935dad77474adf9b1 test/api/test_workflow_extraction.py --- a/test/api/test_workflow_extraction.py +++ b/test/api/test_workflow_extraction.py @@ -182,68 +182,6 @@ collection_step_state = loads( collection_step[ "tool_state" ] ) self.assertEquals( collection_step_state[ "collection_type" ], u"list:paired" ) - def _run_jobs( self, jobs_yaml ): - history_id = self.history_id - workflow_id = self._upload_yaml_workflow( - jobs_yaml - ) - jobs_descriptions = yaml.load( jobs_yaml ) - test_data = jobs_descriptions["test_data"] - - label_map = {} - inputs = {} - for key, value in test_data.items(): - if isinstance( value, dict ): - elements_data = value.get( "elements", [] ) - elements = [] - for element_data in elements_data: - identifier = element_data[ "identifier" ] - content = element_data["content"] - elements.append( ( identifier, content ) ) - collection_type = value["type"] - if collection_type == "list:paired": - hdca = self.dataset_collection_populator.create_list_of_pairs_in_history( history_id ).json() - elif collection_type == "list": - hdca = self.dataset_collection_populator.create_list_in_history( history_id, contents=elements ).json() - else: - hdca = self.dataset_collection_populator.create_pair_in_history( history_id, contents=elements ).json() - label_map[key] = self._ds_entry( hdca ) - inputs[key] = hdca - else: - hda = self.dataset_populator.new_dataset( history_id, content=value ) - label_map[key] = self._ds_entry( hda ) - inputs[key] = hda - workflow_request = dict( - history="hist_id=%s" % history_id, - workflow_id=workflow_id, - ) - workflow_request[ "inputs" ] = dumps( label_map ) - workflow_request[ "inputs_by" ] = 'name' - self.dataset_populator.wait_for_history( history_id, assert_ok=True ) - url = "workflows/%s/usage" % ( workflow_id ) - invocation_response = self._post( url, data=workflow_request ) - self._assert_status_code_is( invocation_response, 200 ) - invocation = invocation_response.json() - invocation_id = invocation[ "id" ] - # Wait for workflow to become fully scheduled and then for all jobs - # complete. - self.wait_for_invocation( workflow_id, invocation_id ) - self.dataset_populator.wait_for_history( history_id, assert_ok=True ) - jobs = self._history_jobs( history_id ) - return RunJobsSummary( - history_id=history_id, - workflow_id=workflow_id, - inputs=inputs, - jobs=jobs, - ) - - def wait_for_invocation( self, workflow_id, invocation_id ): - url = "workflows/%s/usage/%s" % ( workflow_id, invocation_id ) - return wait_on_state( lambda: self._get( url ) ) - - def _history_jobs( self, history_id ): - return self._get("jobs", { "history_id": history_id, "order_by": "create_time" } ).json() - def _job_id_for_tool( self, jobs, tool_id ): return self._job_for_tool( jobs, tool_id )[ "id" ] diff -r 7272cc7b9ea1fd64646fa6d7e6fb5924fd8618f8 -r 46a3d43d779fa7735029449935dad77474adf9b1 test/api/test_workflows.py --- a/test/api/test_workflows.py +++ b/test/api/test_workflows.py @@ -1,6 +1,12 @@ +from .helpers import wait_on_state + from base import api from json import dumps +from collections import namedtuple + import time + +import yaml from .helpers import WorkflowPopulator from .helpers import DatasetPopulator from .helpers import DatasetCollectionPopulator @@ -101,6 +107,69 @@ invocation_details = invocation_details_response.json() return invocation_details + def _run_jobs( self, jobs_yaml, history_id=None ): + if history_id is None: + history_id = self.history_id + workflow_id = self._upload_yaml_workflow( + jobs_yaml + ) + jobs_descriptions = yaml.load( jobs_yaml ) + test_data = jobs_descriptions["test_data"] + + label_map = {} + inputs = {} + for key, value in test_data.items(): + if isinstance( value, dict ): + elements_data = value.get( "elements", [] ) + elements = [] + for element_data in elements_data: + identifier = element_data[ "identifier" ] + content = element_data["content"] + elements.append( ( identifier, content ) ) + collection_type = value["type"] + if collection_type == "list:paired": + hdca = self.dataset_collection_populator.create_list_of_pairs_in_history( history_id ).json() + elif collection_type == "list": + hdca = self.dataset_collection_populator.create_list_in_history( history_id, contents=elements ).json() + else: + hdca = self.dataset_collection_populator.create_pair_in_history( history_id, contents=elements ).json() + label_map[key] = self._ds_entry( hdca ) + inputs[key] = hdca + else: + hda = self.dataset_populator.new_dataset( history_id, content=value ) + label_map[key] = self._ds_entry( hda ) + inputs[key] = hda + workflow_request = dict( + history="hist_id=%s" % history_id, + workflow_id=workflow_id, + ) + workflow_request[ "inputs" ] = dumps( label_map ) + workflow_request[ "inputs_by" ] = 'name' + self.dataset_populator.wait_for_history( history_id, assert_ok=True ) + url = "workflows/%s/usage" % ( workflow_id ) + invocation_response = self._post( url, data=workflow_request ) + self._assert_status_code_is( invocation_response, 200 ) + invocation = invocation_response.json() + invocation_id = invocation[ "id" ] + # Wait for workflow to become fully scheduled and then for all jobs + # complete. + self.wait_for_invocation( workflow_id, invocation_id ) + self.dataset_populator.wait_for_history( history_id, assert_ok=True ) + jobs = self._history_jobs( history_id ) + return RunJobsSummary( + history_id=history_id, + workflow_id=workflow_id, + inputs=inputs, + jobs=jobs, + ) + + def wait_for_invocation( self, workflow_id, invocation_id ): + url = "workflows/%s/usage/%s" % ( workflow_id, invocation_id ) + return wait_on_state( lambda: self._get( url ) ) + + def _history_jobs( self, history_id ): + return self._get("jobs", { "history_id": history_id, "order_by": "create_time" } ).json() + # Workflow API TODO: # - Allow history_id as param to workflow run action. (hist_id) @@ -641,3 +710,7 @@ shared_workflow_id=workflow_id, ) return self._post( route, import_data ) + + +RunJobsSummary = namedtuple('RunJobsSummary', ['history_id', 'workflow_id', 'inputs', 'jobs']) + diff -r 7272cc7b9ea1fd64646fa6d7e6fb5924fd8618f8 -r 46a3d43d779fa7735029449935dad77474adf9b1 test/api/test_workflows_from_yaml.py --- a/test/api/test_workflows_from_yaml.py +++ b/test/api/test_workflows_from_yaml.py @@ -1,4 +1,3 @@ -import json from .test_workflows import BaseWorkflowsApiTestCase @@ -30,3 +29,33 @@ __current_case__: 1 """) self._get("workflows/%s/download" % workflow_id).content + + def test_simple_output_actions( self ): + history_id = self.dataset_populator.new_history() + self._run_jobs(""" +steps: + - type: input + label: input1 + - tool_id: cat1 + label: first_cat + state: + input1: + $link: 0 + outputs: + out_file1: + hide: true + rename: "the new value" + - tool_id: cat1 + state: + input1: + $link: first_cat#out_file1 +test_data: + input1: "hello world" +""", history_id=history_id) + + details1 = self.dataset_populator.get_history_dataset_details(history_id, hid=2) + assert not details1["visible"] + assert details1["name"] == "the new value", details1 + details2 = self.dataset_populator.get_history_dataset_details(history_id, hid=3) + assert details2["visible"] + assert False diff -r 7272cc7b9ea1fd64646fa6d7e6fb5924fd8618f8 -r 46a3d43d779fa7735029449935dad77474adf9b1 test/api/yaml_to_workflow.py --- a/test/api/yaml_to_workflow.py +++ b/test/api/yaml_to_workflow.py @@ -2,6 +2,7 @@ import yaml import json +import uuid try: from collections import OrderedDict @@ -25,7 +26,8 @@ "a_galaxy_workflow": "true", "format-version": "0.1", "annotation": "", - "name": "Workflow" + "name": "Workflow", + "uuid": str(uuid.uuid4()), }) steps = as_python["steps"] @@ -107,8 +109,10 @@ __ensure_defaults( step, { "annotation": "", + "post_job_actions": {}, } ) __ensure_inputs_connections(step) + post_job_actions = step["post_job_actions"] tool_state = { # TODO: Galaxy should not require tool state actually specify a __page__. @@ -178,6 +182,30 @@ __populate_tool_state(step, tool_state) + # Handle outputs. + if "outputs" in step: + for name, output in step.get("outputs", {}).items(): + if output.get("hide", False): + action_name = "HideDatasetAction%s" % name + action = __action( + "HideDatasetAction", + name, + ) + post_job_actions[action_name] = action + + if output.get("rename", None): + new_name = output.get("rename") + action_name = "RenameDatasetAction%s" % name + arguments = dict(newname=new_name) + action = __action( + "RenameDatasetAction", + name, + arguments, + ) + post_job_actions[action_name] = action + + del step["outputs"] + class ConversionContext(object): @@ -185,6 +213,14 @@ self.labels = {} +def __action(type, name, arguments={}): + return { + "action_arguments": arguments, + "action_type": type, + "output_name": name, + } + + def __is_link(value): return isinstance(value, dict) and "$link" in value Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: dan: Some web sanitization for Data Managers and Biostar redirect.
by commits-noreply＠bitbucket.org 04 Dec '14

04 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/c1d4e82df5cb/ Changeset: c1d4e82df5cb Branch: next-stable User: dan Date: 2014-12-04 21:14:28+00:00 Summary: Some web sanitization for Data Managers and Biostar redirect. Affected #: 4 files diff -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 -r c1d4e82df5cbf8a6d551221a0d4013d658ad4748 lib/galaxy/webapps/galaxy/controllers/data_manager.py --- a/lib/galaxy/webapps/galaxy/controllers/data_manager.py +++ b/lib/galaxy/webapps/galaxy/controllers/data_manager.py @@ -7,6 +7,8 @@ pkg_resources.require( "Paste" ) import paste.httpexceptions +from galaxy.web.framework.helpers import escape + #set up logger import logging log = logging.getLogger( __name__ ) @@ -18,8 +20,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) return trans.fill_template( "data_manager/index.mako", data_managers=trans.app.data_managers, tool_data_tables=trans.app.tool_data_tables, view_only=not_is_admin, message=message, status=status ) @web.expose @@ -27,8 +29,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_manager_id = kwd.get( 'id', None ) data_manager = trans.app.data_managers.get_manager( data_manager_id ) if data_manager is None: @@ -41,8 +43,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) job_id = kwd.get( 'id', None ) try: job_id = trans.security.decode_id( job_id ) @@ -62,7 +64,7 @@ data_manager_json = loads( open( hda.get_file_name() ).read() ) except Exception, e: data_manager_json = {} - error_messages.append( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) + error_messages.append( escape( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) ) values = [] for key, value in data_manager_json.get( 'data_tables', {} ).iteritems(): values.append( ( key, value ) ) @@ -74,8 +76,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_table_name = kwd.get( 'table_name', None ) if not data_table_name: return trans.response.send_redirect( web.url_for( controller="data_manager", action="index" ) ) diff -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 -r c1d4e82df5cbf8a6d551221a0d4013d658ad4748 templates/webapps/galaxy/biostar/post_redirect.mako --- a/templates/webapps/galaxy/biostar/post_redirect.mako +++ b/templates/webapps/galaxy/biostar/post_redirect.mako @@ -18,7 +18,7 @@ <p>If you are not automatically forwarded, click the button below:<p><form id="postRedirectForm" action="${post_url}" method="post" > %for input_name, input_value in form_inputs.items(): - <input type="hidden" name="${input_name}" value="${input_value | h}"> + <input type="hidden" name="${input_name | h}" value="${input_value | h}"> %endfor <input type="submit" name="GalaxySubmitPostRedirectForm" id='GalaxySubmitPostRedirectForm' value="Click Here"></form> diff -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 -r c1d4e82df5cbf8a6d551221a0d4013d658ad4748 templates/webapps/galaxy/data_manager/manage_data_table.mako --- a/templates/webapps/galaxy/data_manager/manage_data_table.mako +++ b/templates/webapps/galaxy/data_manager/manage_data_table.mako @@ -14,9 +14,9 @@ <% column_name_list = data_table.get_column_name_list() %><table class="tabletip"><thead> - <tr><th colspan="${len (column_name_list) }" style="font-size: 120%;"> + <tr><th colspan="${ len( column_name_list ) | h}" style="font-size: 120%;"> Data Manager: ${ data_table.name | h } - <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name} tool data table" data-placement="bottom"> + <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name | h} tool data table" data-placement="bottom"><span class="fa fa-refresh"></span></a></th></tr> diff -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 -r c1d4e82df5cbf8a6d551221a0d4013d658ad4748 templates/webapps/galaxy/data_manager/view_job.mako --- a/templates/webapps/galaxy/data_manager/view_job.mako +++ b/templates/webapps/galaxy/data_manager/view_job.mako @@ -26,8 +26,8 @@ </thead><tbody><tr><td>Name:</td><td>${hda.name | h}</td></tr> - <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format)}</td></tr> - <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size)}</td></tr> + <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format) | h}</td></tr> + <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size) | h}</td></tr><tr><td>Tool Exit Code:</td><td>${job.exit_code | h}</td></tr><tr><td>Full Path:</td><td>${hda.file_name | h}</td></tr><tr><td>View complete info:</td><td><a href="${h.url_for( controller='dataset', action='show_params', dataset_id=trans.security.encode_id( hda.id ))}">${ hda.id | h }</a></td></tr> @@ -47,7 +47,7 @@ %for j, table_row in enumerate( json_table ): <tbody> %if len_json_table > 1: - <tr><td><strong>Entry #${j}</strong></td><td></td></tr> + <tr><td><strong>Entry #${j | h}</strong></td><td></td></tr> %endif %for name, value in table_row.iteritems(): <tr><td>${name | h}:</td><td>${value | h}</td></tr> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: dan: Some web sanitization for Data Managers and Biostar redirect.
by commits-noreply＠bitbucket.org 04 Dec '14

04 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/7272cc7b9ea1/ Changeset: 7272cc7b9ea1 User: dan Date: 2014-12-04 21:14:28+00:00 Summary: Some web sanitization for Data Managers and Biostar redirect. Affected #: 4 files diff -r 636d3594e201ebb2d085c33c6de32577d65bd866 -r 7272cc7b9ea1fd64646fa6d7e6fb5924fd8618f8 lib/galaxy/webapps/galaxy/controllers/data_manager.py --- a/lib/galaxy/webapps/galaxy/controllers/data_manager.py +++ b/lib/galaxy/webapps/galaxy/controllers/data_manager.py @@ -7,6 +7,8 @@ pkg_resources.require( "Paste" ) import paste.httpexceptions +from galaxy.web.framework.helpers import escape + #set up logger import logging log = logging.getLogger( __name__ ) @@ -18,8 +20,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) return trans.fill_template( "data_manager/index.mako", data_managers=trans.app.data_managers, tool_data_tables=trans.app.tool_data_tables, view_only=not_is_admin, message=message, status=status ) @web.expose @@ -27,8 +29,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_manager_id = kwd.get( 'id', None ) data_manager = trans.app.data_managers.get_manager( data_manager_id ) if data_manager is None: @@ -41,8 +43,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) job_id = kwd.get( 'id', None ) try: job_id = trans.security.decode_id( job_id ) @@ -62,7 +64,7 @@ data_manager_json = loads( open( hda.get_file_name() ).read() ) except Exception, e: data_manager_json = {} - error_messages.append( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) + error_messages.append( escape( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) ) values = [] for key, value in data_manager_json.get( 'data_tables', {} ).iteritems(): values.append( ( key, value ) ) @@ -74,8 +76,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_table_name = kwd.get( 'table_name', None ) if not data_table_name: return trans.response.send_redirect( web.url_for( controller="data_manager", action="index" ) ) diff -r 636d3594e201ebb2d085c33c6de32577d65bd866 -r 7272cc7b9ea1fd64646fa6d7e6fb5924fd8618f8 templates/webapps/galaxy/biostar/post_redirect.mako --- a/templates/webapps/galaxy/biostar/post_redirect.mako +++ b/templates/webapps/galaxy/biostar/post_redirect.mako @@ -18,7 +18,7 @@ <p>If you are not automatically forwarded, click the button below:<p><form id="postRedirectForm" action="${post_url}" method="post" > %for input_name, input_value in form_inputs.items(): - <input type="hidden" name="${input_name}" value="${input_value | h}"> + <input type="hidden" name="${input_name | h}" value="${input_value | h}"> %endfor <input type="submit" name="GalaxySubmitPostRedirectForm" id='GalaxySubmitPostRedirectForm' value="Click Here"></form> diff -r 636d3594e201ebb2d085c33c6de32577d65bd866 -r 7272cc7b9ea1fd64646fa6d7e6fb5924fd8618f8 templates/webapps/galaxy/data_manager/manage_data_table.mako --- a/templates/webapps/galaxy/data_manager/manage_data_table.mako +++ b/templates/webapps/galaxy/data_manager/manage_data_table.mako @@ -14,9 +14,9 @@ <% column_name_list = data_table.get_column_name_list() %><table class="tabletip"><thead> - <tr><th colspan="${len (column_name_list) }" style="font-size: 120%;"> + <tr><th colspan="${ len( column_name_list ) | h}" style="font-size: 120%;"> Data Manager: ${ data_table.name | h } - <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name} tool data table" data-placement="bottom"> + <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name | h} tool data table" data-placement="bottom"><span class="fa fa-refresh"></span></a></th></tr> diff -r 636d3594e201ebb2d085c33c6de32577d65bd866 -r 7272cc7b9ea1fd64646fa6d7e6fb5924fd8618f8 templates/webapps/galaxy/data_manager/view_job.mako --- a/templates/webapps/galaxy/data_manager/view_job.mako +++ b/templates/webapps/galaxy/data_manager/view_job.mako @@ -26,8 +26,8 @@ </thead><tbody><tr><td>Name:</td><td>${hda.name | h}</td></tr> - <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format)}</td></tr> - <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size)}</td></tr> + <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format) | h}</td></tr> + <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size) | h}</td></tr><tr><td>Tool Exit Code:</td><td>${job.exit_code | h}</td></tr><tr><td>Full Path:</td><td>${hda.file_name | h}</td></tr><tr><td>View complete info:</td><td><a href="${h.url_for( controller='dataset', action='show_params', dataset_id=trans.security.encode_id( hda.id ))}">${ hda.id | h }</a></td></tr> @@ -47,7 +47,7 @@ %for j, table_row in enumerate( json_table ): <tbody> %if len_json_table > 1: - <tr><td><strong>Entry #${j}</strong></td><td></td></tr> + <tr><td><strong>Entry #${j | h}</strong></td><td></td></tr> %endif %for name, value in table_row.iteritems(): <tr><td>${name | h}:</td><td>${value | h}</td></tr> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 11 new changesets
by commits-noreply＠bitbucket.org 04 Dec '14

04 Dec '14

11 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/6eccc509c109/ Changeset: 6eccc509c109 Branch: next-stable User: dannon Date: 2014-12-04 16:38:16+00:00 Summary: Sanitize all user fields in cloud/index.mako Affected #: 1 file diff -r 29b2c328b89b6634c9a3f9a21c2349105a7e485a -r 6eccc509c109c87889d80ba745d97cfa425e0ce4 templates/webapps/galaxy/cloud/index.mako --- a/templates/webapps/galaxy/cloud/index.mako +++ b/templates/webapps/galaxy/cloud/index.mako @@ -218,7 +218,7 @@ </div> %if share_string: - <input type='hidden' name='share_string' value='${share_string}'/> + <input id="dbremove_share_string" type='hidden' name='share_string' value='${share_string | h}'/> %else: <div class="form-row" style="display:none;"> @@ -228,11 +228,11 @@ %endif %if ami: - <input type='hidden' name='ami' value='${ami}'/> + <input type='hidden' name='ami' value='${ami | h}'/> %endif %if bucket_default: - <input type='hidden' name='bucket_default' value='${bucket_default}'/> + <input type='hidden' name='bucket_default' value='${bucket_default | h}'/> %endif <div class="form-row"> https://bitbucket.org/galaxy/galaxy-central/commits/90d3d1205ef0/ Changeset: 90d3d1205ef0 Branch: next-stable User: dannon Date: 2014-12-04 16:51:46+00:00 Summary: Remove unused cloud/run.mako; all functionality is rolled into cloud/index. Affected #: 1 file diff -r 6eccc509c109c87889d80ba745d97cfa425e0ce4 -r 90d3d1205ef0211ce2f459e2832c6bad2737d924 templates/webapps/galaxy/cloud/run.mako --- a/templates/webapps/galaxy/cloud/run.mako +++ /dev/null @@ -1,41 +0,0 @@ -<%inherit file="/webapps/galaxy/base_panels.mako"/> - -<%def name="init()"> -<% - self.has_left_panel=False - self.has_right_panel=False - self.active_view="shared" - self.message_box_visible=False -%> -</%def> - - -<%def name="center_panel()"> - <div style="overflow: auto; height: 100%;"> - <div class="page-container" style="padding: 10px;"> - <h2>Launching a Galaxy Cloud Instance</h2> -%if error: - <p>${error}</p> -%elif instance: - %if kp_material: - <h3>Very Important Key Pair Information</h3> - <p>A new key pair named '${kp_name}' has been created in your AWS - account and will be used to access this instance via ssh. It is - <strong>very important</strong> that you save the following private key - as it is not saved on this Galaxy instance and will be permanently lost - once you leave this page. To do this, save the following key block as - a plain text file named '${kp_name}'.</p> - <pre>${kp_material}</pre> - %endif - <p>The instance '${instance.id} has been successfully launched using the - '${instance.image_id}' AMI.<br/> Access it at <a - href="http://${instance.public_dns_name}">http://${instance.public_dns_name}</a></p> - <p>SSH access is available using your private key '${kp_name}'.</p> -%else: - <p> Unknown failure, no instance. Please refer to your AWS console at <a - href="https://console.aws.amazon.com">https://console.aws.amazon.com</a></p> -%endif - </div> - </div> -</%def> - https://bitbucket.org/galaxy/galaxy-central/commits/54e5ea026a4a/ Changeset: 54e5ea026a4a Branch: next-stable User: dannon Date: 2014-12-04 17:05:07+00:00 Summary: Don't trust user email rendered into page unescaped for Raven. Affected #: 1 file diff -r 90d3d1205ef0211ce2f459e2832c6bad2737d924 -r 54e5ea026a4aaad0f4fd1228c63c77c15327afa4 templates/base/base_panels.mako --- a/templates/base/base_panels.mako +++ b/templates/base/base_panels.mako @@ -45,7 +45,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email | h}" } ); %endif </script> %endif https://bitbucket.org/galaxy/galaxy-central/commits/3ecb6b58e88a/ Changeset: 3ecb6b58e88a Branch: next-stable User: dannon Date: 2014-12-04 17:05:23+00:00 Summary: Trim trailing whitespace. Affected #: 1 file diff -r 54e5ea026a4aaad0f4fd1228c63c77c15327afa4 -r 3ecb6b58e88aeac8db48253e585df2aa429f39dc templates/base/base_panels.mako --- a/templates/base/base_panels.mako +++ b/templates/base/base_panels.mako @@ -13,7 +13,7 @@ self.body_class="" self.require_javascript=False %> - + <%def name="init()"> ## Override </%def> @@ -62,7 +62,7 @@ 'libs/require', "mvc/ui" )} - + <script type="text/javascript"> ## global configuration object var galaxy_config = @@ -112,14 +112,14 @@ 'galaxy.panels' )} <script type="text/javascript"> - + ensure_dd_helper(); - + %if self.has_left_panel: var lp = new Panel( { panel: $("#left"), center: $("#center"), drag: $("#left > .unified-panel-footer > .drag" ), toggle: $("#left > .unified-panel-footer > .panel-collapse" ) } ); force_left_panel = function( x ) { lp.force_panel( x ) }; %endif - + %if self.has_right_panel: var rp = new Panel( { panel: $("#right"), center: $("#center"), drag: $("#right > .unified-panel-footer > .drag" ), toggle: $("#right > .unified-panel-footer > .panel-collapse" ), right: true } ); window.handle_minwidth_hint = function( x ) { rp.handle_minwidth_hint( x ) }; @@ -134,7 +134,7 @@ ga('create', '${app.config.ga_code}', 'auto'); ga('send', 'pageview'); %endif - + </script> ## Handle AJAX (actually hidden iframe) upload tool <script type="text/javascript"> @@ -300,7 +300,7 @@ ## Document <html> - ${self.init()} + ${self.init()} <head> %if app.config.brand: <title>${self.title()} / ${app.config.brand}</title> @@ -316,7 +316,7 @@ ${self.javascripts()} ${self.javascript_app()} </head> - + <% body_class = self.body_class if self.message_box_visible: https://bitbucket.org/galaxy/galaxy-central/commits/738a4cbb6ed3/ Changeset: 738a4cbb6ed3 Branch: next-stable User: dannon Date: 2014-12-04 18:07:03+00:00 Summary: Cleanup of show_params while looking for bugs. Affected #: 1 file diff -r 3ecb6b58e88aeac8db48253e585df2aa429f39dc -r 738a4cbb6ed3189a80202f4be53726542b516239 lib/galaxy/webapps/galaxy/controllers/dataset.py --- a/lib/galaxy/webapps/galaxy/controllers/dataset.py +++ b/lib/galaxy/webapps/galaxy/controllers/dataset.py @@ -932,7 +932,7 @@ @web.expose def show_params( self, trans, dataset_id=None, from_noframe=None, **kwd ): """ - Show the parameters used for an HDA + Show the parameters used for the job associated with an HDA """ hda = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( trans.security.decode_id( dataset_id ) ) if not hda: @@ -961,19 +961,31 @@ toolbox = self.get_toolbox() tool = toolbox.get_tool( job.tool_id ) assert tool is not None, 'Requested tool has not been loaded.' - #Load parameter objects, if a parameter type has changed, it's possible for the value to no longer be valid + # Load parameter objects, if a parameter type has changed, it's possible for the value to no longer be valid try: params_objects = job.get_param_values( trans.app, ignore_errors=False ) except: params_objects = job.get_param_values( trans.app, ignore_errors=True ) - upgrade_messages = tool.check_and_update_param_values( job.get_param_values( trans.app, ignore_errors=True ), trans, update_values=False ) #use different param_objects here, since we want to display original values as much as possible + # use different param_objects in the following line, since we want to display original values as much as possible + upgrade_messages = tool.check_and_update_param_values( job.get_param_values( trans.app, + ignore_errors=True ), + trans, + update_values=False ) has_parameter_errors = True except: pass if job is None: return trans.show_error_message( "Job information is not available for this dataset." ) - #TODO: we should provide the basic values along with the objects, in order to better handle reporting of old values during upgrade - return trans.fill_template( "show_params.mako", inherit_chain=inherit_chain, history=trans.get_history(), hda=hda, job=job, tool=tool, params_objects=params_objects, upgrade_messages=upgrade_messages, has_parameter_errors=has_parameter_errors ) + # TODO: we should provide the basic values along with the objects, in order to better handle reporting of old values during upgrade + return trans.fill_template( "show_params.mako", + inherit_chain=inherit_chain, + history=trans.get_history(), + hda=hda, + job=job, + tool=tool, + params_objects=params_objects, + upgrade_messages=upgrade_messages, + has_parameter_errors=has_parameter_errors ) @web.expose def copy_datasets( self, trans, source_history=None, source_content_ids="", target_history_id=None, target_history_ids="", new_history_name="", do_copy=False, **kwd ): https://bitbucket.org/galaxy/galaxy-central/commits/84bf14a4e9de/ Changeset: 84bf14a4e9de Branch: next-stable User: dannon Date: 2014-12-04 18:10:37+00:00 Summary: Catch ValueError and actually log it instead of blowing up w/ invalid dataset_id. Raise httpexception. Affected #: 1 file diff -r 738a4cbb6ed3189a80202f4be53726542b516239 -r 84bf14a4e9de8bb7a27411933c28fdc237b75a52 lib/galaxy/webapps/galaxy/controllers/dataset.py --- a/lib/galaxy/webapps/galaxy/controllers/dataset.py +++ b/lib/galaxy/webapps/galaxy/controllers/dataset.py @@ -934,9 +934,12 @@ """ Show the parameters used for the job associated with an HDA """ - hda = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( trans.security.decode_id( dataset_id ) ) + try: + hda = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( trans.security.decode_id( dataset_id ) ) + except ValueError: + hda = None if not hda: - raise paste.httpexceptions.HTTPRequestRangeNotSatisfiable( "Invalid reference dataset id: %s." % str( dataset_id ) ) + raise paste.httpexceptions.HTTPRequestRangeNotSatisfiable( "Invalid reference dataset id: %s." % escape( str( dataset_id ) ) ) if not self._can_access_dataset( trans, hda ): return trans.show_error_message( "You are not allowed to access this dataset" ) @@ -967,8 +970,7 @@ except: params_objects = job.get_param_values( trans.app, ignore_errors=True ) # use different param_objects in the following line, since we want to display original values as much as possible - upgrade_messages = tool.check_and_update_param_values( job.get_param_values( trans.app, - ignore_errors=True ), + upgrade_messages = tool.check_and_update_param_values( job.get_param_values( trans.app, ignore_errors=True ), trans, update_values=False ) has_parameter_errors = True https://bitbucket.org/galaxy/galaxy-central/commits/502ee96ed98d/ Changeset: 502ee96ed98d Branch: next-stable User: dannon Date: 2014-12-04 19:04:52+00:00 Summary: Cleanup of search functionality while hunting bugs. Affected #: 3 files diff -r 84bf14a4e9de8bb7a27411933c28fdc237b75a52 -r 502ee96ed98d74e31844dc601599fd4c10006090 lib/galaxy/webapps/galaxy/controllers/search.py --- a/lib/galaxy/webapps/galaxy/controllers/search.py +++ b/lib/galaxy/webapps/galaxy/controllers/search.py @@ -1,4 +1,3 @@ - """ Contains a basic search interface for Galaxy """ @@ -8,7 +7,8 @@ log = logging.getLogger( __name__ ) + class SearchController( BaseUIController ): @web.expose def index(self, trans): - return trans.fill_template( "search/index.mako") + return trans.fill_template( "search/index.mako" ) diff -r 84bf14a4e9de8bb7a27411933c28fdc237b75a52 -r 502ee96ed98d74e31844dc601599fd4c10006090 templates/search/index.mako --- a/templates/search/index.mako +++ b/templates/search/index.mako @@ -17,9 +17,9 @@ ${parent.stylesheets()} <style> .searchResult { - border-style:dashed; - border-width:1px; - margin: 5px; + border-style:dashed; + border-width:1px; + margin: 5px; } </style> @@ -30,17 +30,17 @@ <script type="text/javascript"> var search_format_output = function(doc) { - var div_class = "historyItem"; - var a = $("<div class='" + div_class + "'>") - a.append($("<div>").append(doc['model_class'])); - b = a.append( $("<div class='historyItemTitle'><a href='/file/" + doc['id'] + "'>" + doc['name'] + "</a></div>") ); - if ('misc_blurb' in doc) { - b.append( $("<div>").append(doc["misc_blurb"]) ); - } - if ('peek' in doc) { - b.append( $("<pre class='peek'>").append( doc["peek"]) ); - } - return a; + var div_class = "historyItem"; + var a = $("<div class='" + div_class + "'>") + a.append($("<div>").append(doc['model_class'])); + b = a.append( $("<div class='historyItemTitle'><a href='/file/" + doc['id'] + "'>" + doc['name'] + "</a></div>") ); + if ('misc_blurb' in doc) { + b.append( $("<div>").append(doc["misc_blurb"]) ); + } + if ('peek' in doc) { + b.append( $("<pre class='peek'>").append( doc["peek"]) ); + } + return a; } </script> diff -r 84bf14a4e9de8bb7a27411933c28fdc237b75a52 -r 502ee96ed98d74e31844dc601599fd4c10006090 templates/search/search.mako --- a/templates/search/search.mako +++ b/templates/search/search.mako @@ -2,7 +2,7 @@ <%def name="search_init()"> ${h.js( - 'libs/jquery/jquery', + 'libs/jquery/jquery', )} </%def> @@ -12,54 +12,54 @@ <script type="text/javascript"> function doSearch(query) { - if (query.length > 1) { - var url = "/api/search"; - $.ajax({ - type : 'POST', - url: url, - data: JSON.stringify({"query" : query }), - contentType : 'application/json', - dataType : 'json', - success : function(data) { - var p = $("#output"); - p.empty(); - for(var i in data) { - var e = ${output_format}(data[i]); - p.append(e); - } - } - }); - } + if (query.length > 1) { + var url = "/api/search"; + $.ajax({ + type : 'POST', + url: url, + data: JSON.stringify({"query" : query }), + contentType : 'application/json', + dataType : 'json', + success : function(data) { + var p = $("#output"); + p.empty(); + for(var i in data) { + var e = ${output_format}(data[i]); + p.append(e); + } + } + }); + } }; $(document).ready( function() { - $("#search_button").click(function() { - doSearch($("#search_text").val()); - }); - $('#search_text').keyup(function(e){ - if(e.keyCode == 13) { - doSearch($("#search_text").val()); - } - }); - doSearch($("#search_text").val()); + $("#search_button").click(function() { + doSearch($("#search_text").val()); + }); + $('#search_text').keyup(function(e){ + if(e.keyCode == 13) { + doSearch($("#search_text").val()); + } + }); + doSearch($("#search_text").val()); }); var queryURL = function (query) { - var url = "/api/search" + encodeURIComponent(query); - url = url + "&field=" + $("#searchFields").val(); - if ($("#fileType").val() != "All") { - url = url + "&type=" + $("#fileType").val() - } - return url; + var url = "/api/search" + encodeURIComponent(query); + url = url + "&field=" + $("#searchFields").val(); + if ($("#fileType").val() != "All") { + url = url + "&type=" + $("#fileType").val() + } + return url; } </script><div id="search_box" style="margin: 20px;"> - <input type="text" id="search_text" size="90"/> + <input type="text" id="search_text" size="90"/></div><div style="margin: 20px;"> - <input type="button" id="search_button" value="Search"/> + <input type="button" id="search_button" value="Search"/></div><div id="output"></div> https://bitbucket.org/galaxy/galaxy-central/commits/02681fa23902/ Changeset: 02681fa23902 Branch: next-stable User: dannon Date: 2014-12-04 20:23:35+00:00 Summary: Fix search to work for at least datasets, hdas, etc. Affected #: 2 files diff -r 502ee96ed98d74e31844dc601599fd4c10006090 -r 02681fa23902d774892634cbbe5c9fbaf26f0846 templates/search/index.mako --- a/templates/search/index.mako +++ b/templates/search/index.mako @@ -1,52 +1,112 @@ - <%inherit file="/webapps/galaxy/base_panels.mako"/> -<%namespace file="/search/search.mako" import="search_init" /> -<%namespace file="/search/search.mako" import="search_dialog" /><%def name="init()"> -<% - self.has_left_panel=False - self.has_right_panel=False - self.message_box_visible=False - self.active_view="shared" - self.overlay_visible=False -%> + <% + self.has_left_panel=False + self.has_right_panel=False + self.message_box_visible=False + self.active_view="shared" + self.overlay_visible=False + %></%def><%def name="stylesheets()"> -${parent.stylesheets()} -<style> -.searchResult { - border-style:dashed; - border-width:1px; - margin: 5px; -} -</style> + ${parent.stylesheets()} + <style> + .searchResult { + border-style:dashed; + border-width:1px; + margin: 5px; + } + </style> +</%def> + + +<%def name="javascripts()"> + ${parent.javascripts()} + ${h.js( + "libs/jquery/jquery", + )} + <script type="text/javascript"> + + function search_format_output(doc) { + var div_class = "historyItem"; + var a = $("<div class='" + div_class + "'>") + a.append($("<div>").append(doc['model_class'])); + b = a.append( $("<div class='historyItemTitle'><a href='/file/" + doc['id'] + "'>" + doc['name'] + "</a></div>") ); + if ('misc_blurb' in doc) { + b.append( $("<div>").append(doc["misc_blurb"]) ); + } + if ('peek' in doc) { + b.append( $("<pre class='peek'>").append( doc["peek"]) ); + } + return a; + } + + function doSearch(query) { + if (query.length > 1) { + var url = "/api/search"; + $.ajax({ + type : 'POST', + url: url, + data: JSON.stringify({"query" : query }), + contentType : 'application/json', + dataType : 'json', + success : function(data) { + var p = $("#output"); + p.empty(); + _.each(data.results, function(doc){ + var div_class = "historyItem"; + var a = $("<div class='" + div_class + "'>") + a.append($("<div>").append(doc['model_class'])); + b = a.append( $("<div class='historyItemTitle'><a href='/file/" + doc['id'] + "'>" + doc['name'] + "</a></div>") ); + if ('misc_blurb' in doc) { + b.append( $("<div>").append(doc["misc_blurb"]) ); + } + if ('peek' in doc) { + b.append( $("<pre class='peek'>").append( doc["peek"]) ); + } + p.append(b); + }); + } + }); + } + }; + + + var queryURL = function (query) { + var url = "/api/search" + encodeURIComponent(query); + url = url + "&field=" + $("#searchFields").val(); + if ($("#fileType").val() != "All") { + url = url + "&type=" + $("#fileType").val() + } + return url; + } + + $(document).ready( function() { + $("#search_button").click(function() { + doSearch($("#search_text").val()); + }); + $('#search_text').keyup(function(e){ + if(e.keyCode == 13) { + doSearch($("#search_text").val()); + } + }); + doSearch($("#search_text").val()); + }); + </script></%def> + <%def name="center_panel()"> -${search_init()} -<script type="text/javascript"> -var search_format_output = function(doc) { - var div_class = "historyItem"; - var a = $("<div class='" + div_class + "'>") - a.append($("<div>").append(doc['model_class'])); - b = a.append( $("<div class='historyItemTitle'><a href='/file/" + doc['id'] + "'>" + doc['name'] + "</a></div>") ); - if ('misc_blurb' in doc) { - b.append( $("<div>").append(doc["misc_blurb"]) ); - } - if ('peek' in doc) { - b.append( $("<pre class='peek'>").append( doc["peek"]) ); - } - return a; -} + <div id="search_box" style="margin: 20px;"> + <input type="text" id="search_text" size="90"/> + </div> + <div style="margin: 20px;"> + <input type="button" id="search_button" value="Search"/> + </div> + <div id="output"></div> -</script> -<div style="overflow: auto; height: 100%"> -${search_dialog("search_format_output")} -</div></%def> - - diff -r 502ee96ed98d74e31844dc601599fd4c10006090 -r 02681fa23902d774892634cbbe5c9fbaf26f0846 templates/search/search.mako --- a/templates/search/search.mako +++ /dev/null @@ -1,68 +0,0 @@ - -<%def name="search_init()"> - - ${h.js( - 'libs/jquery/jquery', -)} - -</%def> - -<%def name="search_dialog(output_format)"> - -<script type="text/javascript"> - -function doSearch(query) { - if (query.length > 1) { - var url = "/api/search"; - $.ajax({ - type : 'POST', - url: url, - data: JSON.stringify({"query" : query }), - contentType : 'application/json', - dataType : 'json', - success : function(data) { - var p = $("#output"); - p.empty(); - for(var i in data) { - var e = ${output_format}(data[i]); - p.append(e); - } - } - }); - } -}; - -$(document).ready( function() { - $("#search_button").click(function() { - doSearch($("#search_text").val()); - }); - $('#search_text').keyup(function(e){ - if(e.keyCode == 13) { - doSearch($("#search_text").val()); - } - }); - doSearch($("#search_text").val()); -}); - -var queryURL = function (query) { - var url = "/api/search" + encodeURIComponent(query); - url = url + "&field=" + $("#searchFields").val(); - if ($("#fileType").val() != "All") { - url = url + "&type=" + $("#fileType").val() - } - return url; -} - -</script> - -<div id="search_box" style="margin: 20px;"> - <input type="text" id="search_text" size="90"/> -</div> -<div style="margin: 20px;"> - <input type="button" id="search_button" value="Search"/> -</div> - -<div id="output"></div> - - -</%def> https://bitbucket.org/galaxy/galaxy-central/commits/ead3e859dda1/ Changeset: ead3e859dda1 Branch: next-stable User: dannon Date: 2014-12-04 20:27:19+00:00 Summary: Disable search interface for right now -- I made it not broken in the previous commit, but nobody should be using this yet. Affected #: 1 file diff -r 02681fa23902d774892634cbbe5c9fbaf26f0846 -r ead3e859dda102520ea706bb3a566723af33a90f lib/galaxy/webapps/galaxy/controllers/search.py --- a/lib/galaxy/webapps/galaxy/controllers/search.py +++ b/lib/galaxy/webapps/galaxy/controllers/search.py @@ -9,6 +9,11 @@ class SearchController( BaseUIController ): + @web.expose def index(self, trans): - return trans.fill_template( "search/index.mako" ) + """ + Not ready for human consumption, yet. Power users can still use the + search API. + """ + return trans.show_message("Sorry, the search interface isn't quite ready for use, yet.") https://bitbucket.org/galaxy/galaxy-central/commits/a37ee286981b/ Changeset: a37ee286981b Branch: next-stable User: dannon Date: 2014-12-04 20:29:06+00:00 Summary: Tweak message and commentary for search controller. Affected #: 1 file diff -r ead3e859dda102520ea706bb3a566723af33a90f -r a37ee286981b363c0f8b644c3a40a7007648fffe lib/galaxy/webapps/galaxy/controllers/search.py --- a/lib/galaxy/webapps/galaxy/controllers/search.py +++ b/lib/galaxy/webapps/galaxy/controllers/search.py @@ -13,7 +13,7 @@ @web.expose def index(self, trans): """ - Not ready for human consumption, yet. Power users can still use the - search API. + Per the message, this is not ready for human consumption, yet. Power + users can still use the search API. """ - return trans.show_message("Sorry, the search interface isn't quite ready for use, yet.") + return trans.show_message("Sorry, the search interface isn't quite ready for use, yet. Watch the release notes and check back later!") https://bitbucket.org/galaxy/galaxy-central/commits/b51526d2f9b4/ Changeset: b51526d2f9b4 Branch: next-stable User: dannon Date: 2014-12-04 20:40:51+00:00 Summary: Merge. Affected #: 3 files diff -r a37ee286981b363c0f8b644c3a40a7007648fffe -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 client/galaxy/scripts/mvc/tools/tools-tree.js --- a/client/galaxy/scripts/mvc/tools/tools-tree.js +++ b/client/galaxy/scripts/mvc/tools/tools-tree.js @@ -125,6 +125,9 @@ // handle default value if (!field.skip) { + if (input.optional && field.validate && !field.validate()) { + value = 'None'; + } add (job_input_id, input.id, value); } } diff -r a37ee286981b363c0f8b644c3a40a7007648fffe -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 static/scripts/mvc/tools/tools-tree.js --- a/static/scripts/mvc/tools/tools-tree.js +++ b/static/scripts/mvc/tools/tools-tree.js @@ -125,6 +125,9 @@ // handle default value if (!field.skip) { + if (input.optional && field.validate && !field.validate()) { + value = 'None'; + } add (job_input_id, input.id, value); } } diff -r a37ee286981b363c0f8b644c3a40a7007648fffe -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 static/scripts/packed/mvc/tools/tools-tree.js --- a/static/scripts/packed/mvc/tools/tools-tree.js +++ b/static/scripts/packed/mvc/tools/tools-tree.js @@ -1,1 +1,1 @@ -define([],function(){return Backbone.Model.extend({initialize:function(a){this.app=a},refresh:function(){this.dict={};this.xml=$("<div/>");if(!this.app.section){return{}}this._iterate(this.app.section.$el,this.dict,this.xml)},finalize:function(d){d=d||{};var a=this;this.job_def={};this.job_ids={};function c(g,f,e){a.job_def[g]=e;a.job_ids[g]=f}function b(l,o){for(var j in o){var g=o[j];if(g.input){var q=g.input;var k=l;if(l!=""){k+="|"}k+=q.name;switch(q.type){case"repeat":var f="section-";var t=[];var n=null;for(var s in g){var m=s.indexOf(f);if(m!=-1){m+=f.length;t.push(parseInt(s.substr(m)));if(!n){n=s.substr(0,m)}}}t.sort(function(u,i){return u-i});var j=0;for(var h in t){b(k+"_"+j++,g[n+t[h]])}break;case"conditional":var r=a.app.field_list[q.id].value();if(d[q.test_param.type]){r=d[q.test_param.type](r)}c(k+"|"+q.test_param.name,q.id,r);var e=a.matchCase(q,r);if(e!=-1){b(k,o[q.id+"-section-"+e])}break;default:var p=a.app.field_list[q.id];var r=p.value();if(d[q.type]){r=d[q.type](r)}if(!p.skip){c(k,q.id,r)}}}}}b("",this.dict);return this.job_def},match:function(a){return this.job_ids&&this.job_ids[a]},matchCase:function(a,c){if(a.test_param.type=="boolean"){if(c=="true"){c=a.test_param.truevalue||"true"}else{c=a.test_param.falsevalue||"false"}}for(var b in a.cases){if(a.cases[b].value==c){return b}}return -1},matchModel:function(c,e){var a={};var b=this;function d(f,o){for(var l in o){var h=o[l];var m=h.name;if(f!=""){m=f+"|"+m}switch(h.type){case"repeat":for(var k in h.cache){d(m+"_"+k,h.cache[k])}break;case"conditional":var p=h.test_param&&h.test_param.value;var g=b.matchCase(h,p);if(g!=-1){d(m,h.cases[g].inputs)}break;default:var n=b.app.tree.job_ids[m];if(n){e(n,h)}}}}d("",c.inputs);return a},matchResponse:function(c){var a={};var b=this;function d(k,h){if(typeof h==="string"){var f=b.app.tree.job_ids[k];if(f){a[f]=h}}else{for(var g in h){var e=g;if(k!==""){var j="|";if(h instanceof Array){j="_"}e=k+j+e}d(e,h[g])}}}d("",c);return a},references:function(c,e){var g=[];var b=this;function d(h,j){var i=$(j).children();var l=[];var k=false;i.each(function(){var o=this;var n=$(o).attr("id");if(n!==c){var m=b.app.input_list[n];if(m){if(m.name==h){k=true;return false}if(m.data_ref==h&&m.type==e){l.push(n)}}}});if(!k){g=g.concat(l);i.each(function(){d(h,this)})}}var f=this.xml.find("#"+c);if(f.length>0){var a=this.app.input_list[c];if(a){d(a.name,f.parent())}}return g},_iterate:function(d,e,b){var a=this;var c=$(d).children();c.each(function(){var i=this;var h=$(i).attr("id");if($(i).hasClass("section-row")){e[h]={};var f=a.app.input_list[h];if(f){e[h]={input:f}}var g=$('<div id="'+h+'"/>');b.append(g);a._iterate(i,e[h],g)}else{a._iterate(i,e,b)}})}})}); \ No newline at end of file +define([],function(){return Backbone.Model.extend({initialize:function(a){this.app=a},refresh:function(){this.dict={};this.xml=$("<div/>");if(!this.app.section){return{}}this._iterate(this.app.section.$el,this.dict,this.xml)},finalize:function(d){d=d||{};var a=this;this.job_def={};this.job_ids={};function c(g,f,e){a.job_def[g]=e;a.job_ids[g]=f}function b(l,o){for(var j in o){var g=o[j];if(g.input){var q=g.input;var k=l;if(l!=""){k+="|"}k+=q.name;switch(q.type){case"repeat":var f="section-";var t=[];var n=null;for(var s in g){var m=s.indexOf(f);if(m!=-1){m+=f.length;t.push(parseInt(s.substr(m)));if(!n){n=s.substr(0,m)}}}t.sort(function(u,i){return u-i});var j=0;for(var h in t){b(k+"_"+j++,g[n+t[h]])}break;case"conditional":var r=a.app.field_list[q.id].value();if(d[q.test_param.type]){r=d[q.test_param.type](r)}c(k+"|"+q.test_param.name,q.id,r);var e=a.matchCase(q,r);if(e!=-1){b(k,o[q.id+"-section-"+e])}break;default:var p=a.app.field_list[q.id];var r=p.value();if(d[q.type]){r=d[q.type](r)}if(!p.skip){if(q.optional&&p.validate&&!p.validate()){r="None"}c(k,q.id,r)}}}}}b("",this.dict);return this.job_def},match:function(a){return this.job_ids&&this.job_ids[a]},matchCase:function(a,c){if(a.test_param.type=="boolean"){if(c=="true"){c=a.test_param.truevalue||"true"}else{c=a.test_param.falsevalue||"false"}}for(var b in a.cases){if(a.cases[b].value==c){return b}}return -1},matchModel:function(c,e){var a={};var b=this;function d(f,o){for(var l in o){var h=o[l];var m=h.name;if(f!=""){m=f+"|"+m}switch(h.type){case"repeat":for(var k in h.cache){d(m+"_"+k,h.cache[k])}break;case"conditional":var p=h.test_param&&h.test_param.value;var g=b.matchCase(h,p);if(g!=-1){d(m,h.cases[g].inputs)}break;default:var n=b.app.tree.job_ids[m];if(n){e(n,h)}}}}d("",c.inputs);return a},matchResponse:function(c){var a={};var b=this;function d(k,h){if(typeof h==="string"){var f=b.app.tree.job_ids[k];if(f){a[f]=h}}else{for(var g in h){var e=g;if(k!==""){var j="|";if(h instanceof Array){j="_"}e=k+j+e}d(e,h[g])}}}d("",c);return a},references:function(c,e){var g=[];var b=this;function d(h,j){var i=$(j).children();var l=[];var k=false;i.each(function(){var o=this;var n=$(o).attr("id");if(n!==c){var m=b.app.input_list[n];if(m){if(m.name==h){k=true;return false}if(m.data_ref==h&&m.type==e){l.push(n)}}}});if(!k){g=g.concat(l);i.each(function(){d(h,this)})}}var f=this.xml.find("#"+c);if(f.length>0){var a=this.app.input_list[c];if(a){d(a.name,f.parent())}}return g},_iterate:function(d,e,b){var a=this;var c=$(d).children();c.each(function(){var i=this;var h=$(i).attr("id");if($(i).hasClass("section-row")){e[h]={};var f=a.app.input_list[h];if(f){e[h]={input:f}}var g=$('<div id="'+h+'"/>');b.append(g);a._iterate(i,e[h],g)}else{a._iterate(i,e,b)}})}})}); \ No newline at end of file Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0