2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/b92cdb75f49e/ Changeset: b92cdb75f49e Branch: stable User: dannon Date: 2014-06-09 14:14:18 Summary: Fix impersonation when using external authentication. Admins can now impersonate (and then log out of) users when using external auth. Affected #: 2 files diff -r 2ade3d7303fadb457d766ec928157e824264dbf6 -r b92cdb75f49efadb927868720915f9a65d4f329d lib/galaxy/web/framework/__init__.py --- a/lib/galaxy/web/framework/__init__.py +++ b/lib/galaxy/web/framework/__init__.py @@ -743,8 +743,10 @@ # No user, associate galaxy_session.user = self.get_or_create_remote_user( remote_user_email ) galaxy_session_requires_flush = True - elif galaxy_session.user.email != remote_user_email: - # Session exists but is not associated with the correct remote user + elif galaxy_session.user.email != remote_user_email and self.app.config.allow_user_impersonation and remote_user_email not in [ x.strip() for x in self.app.config.get( "admin_users", "" ).split( "," ) ]: + # Session exists but is not associated with the correct + # remote user, and the currently set remote_user is not a + # potentially impersonating admin. invalidate_existing_session = True user_for_new_session = self.get_or_create_remote_user( remote_user_email ) log.warning( "User logged in as '%s' externally, but has a cookie as '%s' invalidating session", diff -r 2ade3d7303fadb457d766ec928157e824264dbf6 -r b92cdb75f49efadb927868720915f9a65d4f329d lib/galaxy/web/framework/middleware/remoteuser.py --- a/lib/galaxy/web/framework/middleware/remoteuser.py +++ b/lib/galaxy/web/framework/middleware/remoteuser.py @@ -76,6 +76,8 @@ return self.error( start_response, title, message ) if path_info.startswith( '/user/create' ) and environ[ self.remote_user_header ] in self.admin_users: pass # admins can create users + elif path_info.startswith( '/user/logout' ) and environ[ self.remote_user_header ] in self.admin_users: + pass # Admin users may be impersonating, allow logout. elif path_info.startswith( '/user/api_keys' ): pass # api keys can be managed when remote_user is in use elif path_info.startswith( '/user/edit_username' ): https://bitbucket.org/galaxy/galaxy-central/commits/f7dd0060c296/ Changeset: f7dd0060c296 Branch: stable User: natefoo Date: 2014-06-10 15:04:33 Summary: Merged in dannon/galaxy-central-prmaker/stable (pull request #404) Fix impersonation when using external authentication -- #stable Affected #: 2 files diff -r 0fd0a4273b92cabfb1e0d03d20542c47aa59b9a8 -r f7dd0060c2966f2b9c66c5ac739d0e5a9a31faa0 lib/galaxy/web/framework/__init__.py --- a/lib/galaxy/web/framework/__init__.py +++ b/lib/galaxy/web/framework/__init__.py @@ -743,8 +743,10 @@ # No user, associate galaxy_session.user = self.get_or_create_remote_user( remote_user_email ) galaxy_session_requires_flush = True - elif galaxy_session.user.email != remote_user_email: - # Session exists but is not associated with the correct remote user + elif galaxy_session.user.email != remote_user_email and self.app.config.allow_user_impersonation and remote_user_email not in [ x.strip() for x in self.app.config.get( "admin_users", "" ).split( "," ) ]: + # Session exists but is not associated with the correct + # remote user, and the currently set remote_user is not a + # potentially impersonating admin. invalidate_existing_session = True user_for_new_session = self.get_or_create_remote_user( remote_user_email ) log.warning( "User logged in as '%s' externally, but has a cookie as '%s' invalidating session", diff -r 0fd0a4273b92cabfb1e0d03d20542c47aa59b9a8 -r f7dd0060c2966f2b9c66c5ac739d0e5a9a31faa0 lib/galaxy/web/framework/middleware/remoteuser.py --- a/lib/galaxy/web/framework/middleware/remoteuser.py +++ b/lib/galaxy/web/framework/middleware/remoteuser.py @@ -76,6 +76,8 @@ return self.error( start_response, title, message ) if path_info.startswith( '/user/create' ) and environ[ self.remote_user_header ] in self.admin_users: pass # admins can create users + elif path_info.startswith( '/user/logout' ) and environ[ self.remote_user_header ] in self.admin_users: + pass # Admin users may be impersonating, allow logout. elif path_info.startswith( '/user/api_keys' ): pass # api keys can be managed when remote_user is in use elif path_info.startswith( '/user/edit_username' ): Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.