2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/changeset/4bab7894219e/ changeset: 4bab7894219e user: dan date: 2012-10-15 23:38:12 summary: Allow admins to access datasets/jobs with access restrictions. affected #: 1 file diff -r 98b196af6c3ed8c34c3dc05ba1fd9242a29f640d -r 4bab7894219e1f273f58c216bfce905c7ec81bd3 lib/galaxy/webapps/galaxy/controllers/dataset.py --- a/lib/galaxy/webapps/galaxy/controllers/dataset.py +++ b/lib/galaxy/webapps/galaxy/controllers/dataset.py @@ -160,13 +160,16 @@ dataset is either nonexistent or inaccessible to the user. ''' hda = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( trans.security.decode_id( dataset_id ) ) - assert hda and trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), hda.dataset ) + assert hda and self._can_access_dataset( trans, hda ) return hda.creating_job - + + def _can_access_dataset( self, trans, dataset, allow_admin=True ): + return ( allow_admin and trans.user_is_admin() ) or trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), dataset ) + @web.expose def errors( self, trans, id ): hda = trans.sa_session.query( model.HistoryDatasetAssociation ).get( id ) - if not hda or not trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), hda.dataset ): + if not hda or not self._can_access_dataset( trans, hda ): return trans.show_error_message( "Either this dataset does not exist or you do not have permission to access it." ) return trans.fill_template( "dataset/errors.mako", hda=hda ) @web.expose @@ -174,7 +177,7 @@ trans.response.set_content_type( 'text/plain' ) try: hda = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( trans.security.decode_id( dataset_id ) ) - assert hda and trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), hda.dataset ) + assert hda and self._can_access_dataset( trans, hda ) job = hda.creating_job_associations[0].job except: return "Invalid dataset ID or you are not allowed to access this dataset" @@ -248,7 +251,7 @@ # Check email a bit email = email.strip() parts = email.split() - if len( parts ) == 1 and len( email ) > 0 and trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), hda.dataset ): + if len( parts ) == 1 and len( email ) > 0 and self._can_access_dataset( trans, hda ): to = to_address + ", " + email else: to = to_address @@ -268,7 +271,7 @@ def get_metadata_file(self, trans, hda_id, metadata_name): """ Allows the downloading of metadata files associated with datasets (eg. bai index for bam files) """ data = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( trans.security.decode_id( hda_id ) ) - if not data or not trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), data.dataset ): + if not data or not self._can_access_dataset( trans, data ): return trans.show_error_message( "You are not allowed to access this dataset" ) valid_chars = '.,^_-()[]0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' @@ -292,7 +295,7 @@ data = None if not data: raise paste.httpexceptions.HTTPRequestRangeNotSatisfiable( "Invalid reference dataset id: %s." % str( hda_id ) ) - if not trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), data.dataset ): + if not self._can_access_dataset( trans, data ): return trans.show_error_message( "You are not allowed to access this dataset" ) if data.state == trans.model.Dataset.states.UPLOAD: return trans.show_error_message( "Please wait until this dataset finishes uploading before attempting to view it." ) @@ -367,7 +370,7 @@ manage_permissions_action = trans.app.security_agent.get_action( trans.app.security_agent.permitted_actions.DATASET_MANAGE_PERMISSIONS.action ) permissions = { manage_permissions_action : [ trans.app.security_agent.get_private_user_role( data.history.user ) ] } trans.app.security_agent.set_dataset_permission( data.dataset, permissions ) - if trans.app.security_agent.can_access_dataset( current_user_roles, data.dataset ): + if self._can_access_dataset( trans, data ): if data.state == trans.model.Dataset.states.UPLOAD: return trans.show_error_message( "Please wait until this dataset finishes uploading before attempting to edit its metadata." ) params = util.Params( kwd, sanitize=False ) @@ -700,7 +703,7 @@ current_user_roles = trans.get_current_user_roles() if trans.app.security_agent.dataset_is_public( data.dataset ): return trans.response.send_redirect( redirect_url ) # anon access already permitted by rbac - if trans.app.security_agent.can_access_dataset( current_user_roles, data.dataset ): + if self._can_access_dataset( trans, data ): trans.app.host_security_agent.set_dataset_permissions( data, trans.user, site ) return trans.response.send_redirect( redirect_url ) else: @@ -726,7 +729,7 @@ link_name = urllib.unquote_plus( link_name ) if None in [ app_name, link_name ]: return trans.show_error_message( "A display application name and link name must be provided." ) - if trans.app.security_agent.can_access_dataset( user_roles, data.dataset ): + if self._can_access_dataset( trans, data ): msg = [] refresh = False display_app = trans.app.datatypes_registry.display_applications.get( app_name ) @@ -979,7 +982,7 @@ hda = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( trans.security.decode_id( dataset_id ) ) if not hda: raise paste.httpexceptions.HTTPRequestRangeNotSatisfiable( "Invalid reference dataset id: %s." % str( dataset_id ) ) - if not trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), hda.dataset ): + if not self._can_access_dataset( trans, hda ): return trans.show_error_message( "You are not allowed to access this dataset" ) # Get the associated job, if any. If this hda was copied from another, https://bitbucket.org/galaxy/galaxy-central/changeset/de7313adebca/ changeset: de7313adebca user: dan date: 2012-10-15 23:38:37 summary: Allow Admins to rerun jobs with access restrictions. affected #: 1 file diff -r 4bab7894219e1f273f58c216bfce905c7ec81bd3 -r de7313adebca25b9168c0d111386231da4dfd83c lib/galaxy/webapps/galaxy/controllers/tool_runner.py --- a/lib/galaxy/webapps/galaxy/controllers/tool_runner.py +++ b/lib/galaxy/webapps/galaxy/controllers/tool_runner.py @@ -121,7 +121,7 @@ # Get the dataset object data = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) #only allow rerunning if user is allowed access to the dataset. - if not trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), data.dataset ): + if not ( trans.user_is_admin() or trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), data.dataset ) ): error( "You are not allowed to access this dataset" ) # Get the associated job, if any. job = data.creating_job Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.