Hello everybody,

i'm sorry for posting again. I didn't have any answer during the
christmas holiday, so i take another (and last) chance :)

I'm running a fresh galaxy-dist installation (changeset
4640:8729d2e29b02) on a Centos 5.5 distribution. I'm using LDAP
authentication through Apache.

Here is the situation. As a galaxy admin, i've created a "new data
library" called "TP" through the admin interface.

I've another user, called "foobar" which belongs to a group called "TP
Admin" which is associated to the role "TP Admin".

I've edited the permissions of the "TP" library to only associate "TP
Admin" role to "add library item". No other entry is associated with any
role.

The "foobar" user logs into galaxy and go to "Shared Data/Data
libraries". He chooses "TP" and click on "Add datasets". The problem is
that the option "Upload files from filesystem paths" appears in the
scrolling "upload option" list even if "foobar" is not a galaxy admin.
This means that he can virtually access any file on the filesystem.

The comments in the "universe_wsgi.ini" mention "Please note the
security implication that this will give Galaxy Admins access to
anything your Galaxy user has access to." which seems ok for Galaxy
admins, but it looks like this is also the case for any galaxy user.

Any advice on this behaviour? Maybe i misunderstood something.

Regards,

Jean-Baptiste Denis

_______________________________________________
galaxy-dev mailing list
galaxy-dev@lists.bx.psu.edu
http://lists.bx.psu.edu/listinfo/galaxy-dev