1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/c23fb89215ce/ Changeset: c23fb89215ce User: carlfeberhard Date: 2013-09-20 22:12:53 Summary: HDA API: re-add accessibility check Affected #: 1 file diff -r 3fc486ee887aec89a75097477ba7a4acff0ced1b -r c23fb89215ce1d36f23d4806fd04a8153fe6fbe6 lib/galaxy/web/base/controller.py --- a/lib/galaxy/web/base/controller.py +++ b/lib/galaxy/web/base/controller.py @@ -587,8 +587,10 @@ hda_dict[ 'api_type' ] = "file" # Add additional attributes that depend on trans can hence must be added here rather than at the model level. - - #NOTE: access is an expensive operation - removing it and adding the precondition of access is already checked + can_access_hda = trans.app.security_agent.can_access_dataset( trans.get_current_user_roles(), hda.dataset ) + can_access_hda = ( trans.user_is_admin() or can_access_hda ) + if not can_access_hda: + return self.get_inaccessible_hda_dict( trans, hda ) hda_dict[ 'accessible' ] = True # ---- return here if deleted AND purged OR can't access @@ -634,6 +636,18 @@ return trans.security.encode_dict_ids( hda_dict ) + def get_inaccessible_hda_dict( self, trans, hda ): + return trans.security.encode_dict_ids({ + 'id' : hda.id, + 'history_id': hda.history.id, + 'hid' : hda.hid, + 'name' : hda.name, + 'state' : hda.state, + 'deleted' : hda.deleted, + 'visible' : hda.visible, + 'accessible': False + }) + def get_hda_dict_with_error( self, trans, hda, error_msg='' ): return trans.security.encode_dict_ids({ 'id' : hda.id, Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.