1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/ff3c5721f748/ Changeset: ff3c5721f748 User: dan Date: 2015-02-02 20:57:18+00:00 Summary: Fix for preventing non-admins from running data managers via the api. Affected #: 4 files diff -r 8e5b9caba8ff493c25684ebdb6f69b819c34dca6 -r ff3c5721f74857cf689966abfdeb0dc9390bf605 lib/galaxy/tools/__init__.py --- a/lib/galaxy/tools/__init__.py +++ b/lib/galaxy/tools/__init__.py @@ -550,6 +550,12 @@ def get_panel_section( self ): return self.app.toolbox.get_integrated_section_for_tool( self ) + def allow_user_access( self, user ): + """ + :returns: bool -- Whether the user is allowed to access the tool. + """ + return True + def parse( self, tool_source, guid=None ): """ Read tool configuration from the element `root` and fill in `self`. @@ -2799,6 +2805,7 @@ self.data_manager_id = self.id def exec_after_process( self, app, inp_data, out_data, param_dict, job=None, **kwds ): + assert self.allow_user_access( job.user ), "You must be an admin to access this tool." #run original exec_after_process super( DataManagerTool, self ).exec_after_process( app, inp_data, out_data, param_dict, job=job, **kwds ) #process results of tool @@ -2822,6 +2829,7 @@ return history user = trans.user assert user, 'You must be logged in to use this tool.' + assert self.allow_user_access( user ), "You must be an admin to access this tool." history = user.data_manager_histories if not history: #create @@ -2841,6 +2849,17 @@ history = None return history + def allow_user_access( self, user ): + """ + :returns: bool -- Whether the user is allowed to access the tool. + Data Manager tools are only accessible to admins. + """ + if super( DataManagerTool, self ).allow_user_access( user ) and self.app.config.is_admin_user( user ): + return True + if user: + user = user.id + log.debug( "User (%s) attempted to access a data manager tool (%s), but is not an admin.", user, self.id ) + return False # Populate tool_type to ToolClass mappings tool_types = {} diff -r 8e5b9caba8ff493c25684ebdb6f69b819c34dca6 -r ff3c5721f74857cf689966abfdeb0dc9390bf605 lib/galaxy/tools/actions/__init__.py --- a/lib/galaxy/tools/actions/__init__.py +++ b/lib/galaxy/tools/actions/__init__.py @@ -155,6 +155,7 @@ submitting the job to the job queue. If history is not specified, use trans.history as destination for tool's output datasets. """ + assert tool.allow_user_access( trans.user ), "User (%s) is not allowed to access this tool." % ( trans.user ) # Set history. if not history: history = tool.get_default_history_by_trans( trans, create=True ) diff -r 8e5b9caba8ff493c25684ebdb6f69b819c34dca6 -r ff3c5721f74857cf689966abfdeb0dc9390bf605 lib/galaxy/webapps/galaxy/api/tools.py --- a/lib/galaxy/webapps/galaxy/api/tools.py +++ b/lib/galaxy/webapps/galaxy/api/tools.py @@ -67,7 +67,7 @@ """ io_details = util.string_as_bool( kwd.get( 'io_details', False ) ) link_details = util.string_as_bool( kwd.get( 'link_details', False ) ) - tool = self._get_tool( id ) + tool = self._get_tool( id, user=trans.user ) return tool.to_dict( trans, io_details=io_details, link_details=link_details ) @_future_expose_api_anonymous @@ -98,7 +98,7 @@ @_future_expose_api_anonymous def citations( self, trans, id, **kwds ): - tool = self._get_tool( id ) + tool = self._get_tool( id, user=trans.user ) rval = [] for citation in tool.citations: rval.append( citation.to_dict( 'bibtex' ) ) @@ -132,7 +132,7 @@ # Get tool. tool_version = payload.get( 'tool_version', None ) tool = trans.app.toolbox.get_tool( payload[ 'tool_id' ] , tool_version ) if 'tool_id' in payload else None - if not tool: + if not tool or not tool.allow_user_access( trans.user ): trans.response.status = 404 return { "message": { "type": "error", "text" : trans.app.model.Dataset.conversion_messages.NO_TOOL } } @@ -230,10 +230,10 @@ # # -- Helper methods -- # - def _get_tool( self, id, tool_version=None ): + def _get_tool( self, id, tool_version=None, user=None ): id = urllib.unquote_plus( id ) tool = self.app.toolbox.get_tool( id, tool_version ) - if not tool: + if not tool or not tool.allow_user_access( user ): raise exceptions.ObjectNotFound("Could not find tool with id '%s'" % id) return tool @@ -300,7 +300,7 @@ # original_job = self.hda_manager.creating_job( original_dataset ) tool = trans.app.toolbox.get_tool( original_job.tool_id ) - if not tool: + if not tool or not tool.allow_user_access( trans.user ): return trans.app.model.Dataset.conversion_messages.NO_TOOL tool_params = dict( [ ( p.name, p.value ) for p in original_job.parameters ] ) diff -r 8e5b9caba8ff493c25684ebdb6f69b819c34dca6 -r ff3c5721f74857cf689966abfdeb0dc9390bf605 lib/galaxy/webapps/galaxy/controllers/tool_runner.py --- a/lib/galaxy/webapps/galaxy/controllers/tool_runner.py +++ b/lib/galaxy/webapps/galaxy/controllers/tool_runner.py @@ -65,7 +65,7 @@ get_loaded_tools_by_lineage=False, set_selected=refreshed_on_change ) # No tool matching the tool id, display an error (shouldn't happen) - if not tool: + if not tool or not tool.allow_user_access( trans.user ): log.error( "index called with tool id '%s' but no such tool exists", tool_id ) trans.log_event( "Tool id '%s' does not exist" % tool_id ) trans.response.status = 404 @@ -191,6 +191,8 @@ # This is expected so not an exception. tool_id_version_message = '' error( "This dataset was created by an obsolete tool (%s). Can't re-run." % tool_id ) + if not tool.allow_user_access( trans.user ): + error( "The requested tool is unknown." ) # Can't rerun upload, external data sources, et cetera. Workflow compatible will proxy this for now if not tool.is_workflow_compatible: error( "The '%s' tool does not currently support rerunning." % tool.name ) Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.