diff -r e7244f7d613b lib/galaxy/tools/__init__.py
--- a/lib/galaxy/tools/__init__.py	Fri Dec 18 14:18:56 2009 -0500
+++ b/lib/galaxy/tools/__init__.py	Mon Jan 04 13:41:47 2010 -0500
@@ -26,6 +26,7 @@
 from galaxy.datatypes import sniff
 from cgi import FieldStorage
 from galaxy.util.hash_util import *
+from galaxy.util import gordon_tool_permissions
 
 log = logging.getLogger( __name__ )
 
diff -r e7244f7d613b lib/galaxy/tools/actions/__init__.py
--- a/lib/galaxy/tools/actions/__init__.py	Fri Dec 18 14:18:56 2009 -0500
+++ b/lib/galaxy/tools/actions/__init__.py	Mon Jan 04 13:41:47 2010 -0500
@@ -7,6 +7,7 @@
 from galaxy.jobs import JOB_OK
 import galaxy.tools
 from types import *
+from galaxy.util import gordon_tool_permissions
 
 import logging
 log = logging.getLogger( __name__ )
@@ -253,6 +254,18 @@
             parent_dataset.children.append( child_dataset )
         # Store data after custom code runs 
         trans.sa_session.flush()
+        #
+        # Hack By Gordon:
+        # Disable certain tools, if the user is an outside collaborator
+        #
+        if not util.gordon_tool_permissions.tool_allowed_for_user ( trans, tool.id, tool, trans.user, trans.user_is_admin() ) :
+            user_email = "unregistered user"
+            if not (trans.user is None):
+                user_email = trans.user.email
+            log.error("disabling tool %s for outside user %s" % ( tool.id, user_email ) )
+            trans.log_event("disabling tool %s for outside user %s" % ( tool.id, user_email ) )
+            raise str ( "Sorry, tool '%s' is disabled for user '%s'." % ( tool.id, user_email ) )
+        # End of Gordon Hack
         # Create the job object
         job = trans.app.model.Job()
         job.session_id = trans.get_galaxy_session().id
diff -r e7244f7d613b lib/galaxy/util/gordon_tool_permissions.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/galaxy/util/gordon_tool_permissions.py	Mon Jan 04 13:41:47 2010 -0500
@@ -0,0 +1,43 @@
+import logging
+import threading, random, string, re, binascii, pickle, time, datetime, math, re, os, sys, tempfile
+
+log   = logging.getLogger(__name__)
+
+# Hack by gordon:
+#   returns True if the given user is allowed to view/execute the given tool
+#   very hackish and ugly, but should work.
+#   Called by ./lib/galaxy/web/controller/tool_runner.py in index()
+#
+#   Added to support outside collaborators (who aren't allowed to run certain tools)
+#   TODO: make this much more generic (and read access list from an external file)
+def tool_allowed_for_user ( trans, tool_id, tool, user, user_is_admin ):
+    # This hack requires users to register
+    if user is None:
+        log.warn ( "tool_allowed_for_user ( tool = %s, user = None ) - blocking tool usage." )
+        return False
+
+    if user_is_admin:
+        log.warn ("tool_allowed_for_user ( tool = %s, user = %s, user_is_admin ) - allowing tool for administrator" % ( tool_id, user.email ) )
+        return True
+
+    log.warn ( "tool_allowed_for_user ( tool = %s, user = %s )" % ( tool_id, user.email ) )
+
+    # block collaborator's access to import/export tools
+    if ( user.email.find ( "collab_" ) == 0  ):
+        if ( tool_id.find ( "cshl_import") != -1 ) or ( tool_id.find("cshl_export") != -1 ):
+            log.warn ( "tool_allowed_for_user ( tool = %s, user = %s ) - blocking tool usage." % ( tool_id, user.email ) )
+            return False
+
+    ##
+    ## Example
+    ##
+    ## Disable the "Text-Manipulation/Cut" tool for user "gordon2@cshl.edu"
+    if ( user.email.find("gordon2@cshl.edu")==0 ):
+        if ( tool_id.find("Cut1")==0 ):
+            log.warn ( "tool_allowed_for_user ( tool = %s, user = %s ) - blocking tool usage." % ( tool_id, user.email ) )
+            return False
+
+    #
+    # By default, allow access
+    return True
+
diff -r e7244f7d613b lib/galaxy/web/controllers/tool_runner.py
--- a/lib/galaxy/web/controllers/tool_runner.py	Fri Dec 18 14:18:56 2009 -0500
+++ b/lib/galaxy/web/controllers/tool_runner.py	Mon Jan 04 13:41:47 2010 -0500
@@ -7,6 +7,7 @@
 from galaxy.tools import DefaultToolState
 from galaxy.tools.parameters.basic import UnvalidatedValue
 from galaxy.tools.actions import upload_common
+from galaxy.util import gordon_tool_permissions
 
 import logging
 log = logging.getLogger( __name__ )
@@ -43,6 +44,18 @@
             log.error( "index called with tool id '%s' but no such tool exists", tool_id )
             trans.log_event( "Tool id '%s' does not exist" % tool_id )
             return "Tool '%s' does not exist, kwd=%s " % (tool_id, kwd)
+        #
+        # Hack By Gordon:
+        # Disable certain tools, if the user is an outside collaborator
+        #
+        if not util.gordon_tool_permissions.tool_allowed_for_user ( trans, tool_id, tool, trans.user, trans.user_is_admin() ) :
+            user_email = "unregistered user"
+            if not (trans.user is None):
+                user_email = trans.user.email
+            log.error("disabling tool %s for outside user %s" % ( tool_id, user_email ) )
+            trans.log_event("disabling tool %s for outside user %s" % ( tool_id, user_email ) )
+            return "Sorry, tool '%s' is disabled for user '%s'." % ( tool_id, user_email )
+        # End of Gordon Hack
         params = util.Params( kwd, sanitize = False ) #Sanitize parameters when substituting into command line via input wrappers
         #do param translation here, used by datasource tools
         if tool.input_translator: