Hello everybody, i'm sorry for posting again. I didn't have any answer during the christmas holiday, so i take another (and last) chance :) I'm running a fresh galaxy-dist installation (changeset 4640:8729d2e29b02) on a Centos 5.5 distribution. I'm using LDAP authentication through Apache. Here is the situation. As a galaxy admin, i've created a "new data library" called "TP" through the admin interface. I've another user, called "foobar" which belongs to a group called "TP Admin" which is associated to the role "TP Admin". I've edited the permissions of the "TP" library to only associate "TP Admin" role to "add library item". No other entry is associated with any role. The "foobar" user logs into galaxy and go to "Shared Data/Data libraries". He chooses "TP" and click on "Add datasets". The problem is that the option "Upload files from filesystem paths" appears in the scrolling "upload option" list even if "foobar" is not a galaxy admin. This means that he can virtually access any file on the filesystem. The comments in the "universe_wsgi.ini" mention "Please note the security implication that this will give Galaxy Admins access to anything your Galaxy user has access to." which seems ok for Galaxy admins, but it looks like this is also the case for any galaxy user. Any advice on this behaviour? Maybe i misunderstood something. Regards, Jean-Baptiste Denis