If you're running galaxy with REMOTE_USER authentication, do you have local users on the same box?
If you do, have you done anything to mitigate administrator impersonation in galaxy?

We currently have galaxy deployed on a box that acts as a classroom server. I was poking around and noticed that it was trivial to make curl requests with the REMOTE_USER variable set, and impersonate an admin.

I've been considering solutions to this and arrived on the conclusion that the interface should require a "password" in addition to REMOTE_USER being set. That is, a header with a long random string should be required to be set in the reverse proxy configs, as well as being checked on the galaxy side much like how REMOTE_USER is checked.

Thoughts?