details: http://www.bx.psu.edu/hg/galaxy/rev/6a86a558f405 changeset: 2777:6a86a558f405 user: Greg Von Kuster <greg@bx.psu.edu> date: Fri Sep 25 11:32:47 2009 -0400 description: Fix a bug in the security agent where multiples roles associated with the same permission on the same object were not properly handled. 1 file(s) affected in this change: lib/galaxy/security/__init__.py diffs (100 lines): diff -r a2849c4b7219 -r 6a86a558f405 lib/galaxy/security/__init__.py --- a/lib/galaxy/security/__init__.py Fri Sep 25 11:02:02 2009 -0400 +++ b/lib/galaxy/security/__init__.py Fri Sep 25 11:32:47 2009 -0400 @@ -33,7 +33,7 @@ def get_actions( self ): """Get all permitted actions as a list of Action objects""" return self.permitted_actions.__dict__.values() - def get_item_action( self, action, item ): + def get_item_actions( self, action, item ): raise 'No valid method of retrieving action (%s) for item %s.' % ( action, item ) def guess_derived_permissions_for_datasets( self, datasets = [] ): raise "Unimplemented Method" @@ -102,10 +102,15 @@ Returns true when user has permission to perform an action on an instance of Dataset. """ - dataset_action = self.get_item_action( action, dataset ) - if dataset_action is None: + dataset_actions = self.get_item_actions( action, dataset ) + if not dataset_actions: return action.model == 'restrict' - return dataset_action.role in roles + ret_val = False + for dataset_action in dataset_actions: + if dataset_action.role in roles: + ret_val = True + break + return ret_val def can_access_dataset( self, roles, dataset ): return self.allow_dataset_action( roles, self.permitted_actions.DATASET_ACCESS, dataset ) def can_manage_dataset( self, roles, dataset ): @@ -120,23 +125,25 @@ # All permissions are granted, so non-users cannot have permissions return False # Check to see if user has access to any of the roles associated with action - item_action = self.get_item_action( action, item ) - if item_action is None: + item_actions = self.get_item_actions( action, item ) + if not item_actions: # All permissions are granted, so item must have action return False - return item_action.role in roles + ret_val = False + for item_action in item_actions: + if item_action.role in roles: + ret_val = True + break + return ret_val def can_add_library_item( self, user, roles, item ): return self.allow_library_item_action( user, roles, self.permitted_actions.LIBRARY_ADD, item ) def can_modify_library_item( self, user, roles, item ): return self.allow_library_item_action( user, roles, self.permitted_actions.LIBRARY_MODIFY, item ) def can_manage_library_item( self, user, roles, item ): return self.allow_library_item_action( user, roles, self.permitted_actions.LIBRARY_MANAGE, item ) - def get_item_action( self, action, item ): + def get_item_actions( self, action, item ): # item must be one of: Dataset, Library, LibraryFolder, LibraryDataset, LibraryDatasetDatasetAssociation - for permission in item.actions: - if permission.action == action.action: - return permission - return None + return [ permission for permission in item.actions if permission.action == action.action ] def guess_derived_permissions_for_datasets( self, datasets=[] ): """Returns a dict of { action : [ role, role, ... ] } for the output dataset based upon provided datasets""" perms = {} @@ -427,12 +434,12 @@ on library_item. Otherwise, cycle through all sub-folders in library_item until one is found that meets this criteria, if it exists. This method does not necessarily scan the entire library as it returns when it finds the first library_item that allows user to perform any one action in actions_to_check. - """ + """ for action in actions_to_check: if self.allow_library_item_action( user, roles, action, library_item ): return True, hidden_folder_ids if isinstance( library_item, self.model.Library ): - return self.show_library_item( user, roles, library_item.root_folder, actions_to_check, hidden_folder_ids=hidden_folder_ids ) + return self.show_library_item( user, roles, library_item.root_folder, actions_to_check, hidden_folder_ids='' ) if isinstance( library_item, self.model.LibraryFolder ): for folder in library_item.active_folders: can_show, hidden_folder_ids = self.show_library_item( user, roles, folder, actions_to_check, hidden_folder_ids=hidden_folder_ids ) @@ -525,13 +532,14 @@ .options( eagerload_all( "dataset.actions" ) ) \ .all() for ldda in lddas: - ldda_access = self.get_item_action( action, ldda.dataset ) - if ldda_access is None: + ldda_access_permissions = self.get_item_actions( action, ldda.dataset ) + if not ldda_access_permissions: # Dataset is public return True, hidden_folder_ids - if ldda_access.role in roles: - # The current user has access permission on the dataset - return True, hidden_folder_ids + for ldda_access_permission in ldda_access_permissions: + if ldda_access_permission.role in roles: + # The current user has access permission on the dataset + return True, hidden_folder_ids for sub_folder in folder.active_folders: can_access, hidden_folder_ids = self.check_folder_contents( user, roles, sub_folder, hidden_folder_ids=hidden_folder_ids ) if can_access: