details: http://www.bx.psu.edu/hg/galaxy/rev/b10ae696a0e9 changeset: 3231:b10ae696a0e9 user: Greg Von Kuster <greg@bx.psu.edu> date: Wed Jan 13 10:24:30 2010 -0500 description: Add a new LIBRARY_ACCESS permission that behaves similar to the DATASET_ACCESS permission. The LIBRARY_ACCESS permission exists only at the Data Library level, and if present, restricts access to the library to users that have the role(s). If absent, the Data Library is considered public. This new permission significantly reduces the checks needed to display the list of accesible libraries displayed on the Data Libraries view, displaying the page must more quickly. The weakness is that Data Libraries may be displayed for the current user whose actual contents may be restricted from the user, so when clicked, no contents will be displayed. If a Data Library is not public, the LIBRARY_ACCESS permission will override the DATASET_ACCESS permissions for it's contained datasets. For example, if LIBRARY_ACCESS is set to Role1, but the library contains "public" datasets, the library will still only be displayed to those users that have Role1. Informative messages still need to be added for scenarios like this, and checks need to be added to ensure that permissions on library items ( folders and datasets ) are not set such that the item will be inaccessible. Additional functional tests are also still needed. These will all come in another change set soon. diffstat: lib/galaxy/security/__init__.py | 87 +++++++------- lib/galaxy/tools/actions/__init__.py | 4 +- lib/galaxy/tools/actions/upload_common.py | 8 +- lib/galaxy/tools/parameters/basic.py | 2 +- lib/galaxy/web/controllers/dataset.py | 4 +- lib/galaxy/web/controllers/library.py | 22 +--- lib/galaxy/web/controllers/library_common.py | 42 +++--- lib/galaxy/web/controllers/requests.py | 2 +- lib/galaxy/web/controllers/root.py | 8 +- lib/galaxy/web/framework/__init__.py | 4 +- templates/dataset/edit_attributes.mako | 2 +- templates/library/browse_libraries.mako | 4 +- templates/library/common/browse_library.mako | 20 +- templates/library/common/common.mako | 4 +- templates/library/common/folder_info.mako | 4 +- templates/library/common/folder_permissions.mako | 7 +- templates/library/common/ldda_edit_info.mako | 4 +- templates/library/common/ldda_info.mako | 9 +- templates/library/common/ldda_permissions.mako | 3 +- templates/library/common/library_dataset_info.mako | 4 +- templates/library/common/library_dataset_permissions.mako | 7 +- templates/library/common/library_info.mako | 4 +- templates/library/common/library_permissions.mako | 4 +- templates/mobile/history/detail.mako | 2 +- templates/mobile/manage_library.mako | 6 +- templates/root/history_common.mako | 2 +- 26 files changed, 131 insertions(+), 138 deletions(-) diffs (850 lines): diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/security/__init__.py --- a/lib/galaxy/security/__init__.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/security/__init__.py Wed Jan 13 10:24:30 2010 -0500 @@ -20,6 +20,7 @@ permitted_actions = Bunch( DATASET_MANAGE_PERMISSIONS = Action( "manage permissions", "Role members can manage the roles associated with this dataset", "grant" ), DATASET_ACCESS = Action( "access", "Role members can import this dataset into their history for analysis", "restrict" ), + LIBRARY_ACCESS = Action( "access library", "Restrict access to this library to role members only", "restrict" ), LIBRARY_ADD = Action( "add library item", "Role members can add library items to this library item", "grant" ), LIBRARY_MODIFY = Action( "modify library item", "Role members can modify this library item", "grant" ), LIBRARY_MANAGE = Action( "manage library permissions", "Role members can manage roles associated with this library item", "grant" ) @@ -41,11 +42,13 @@ raise "Unimplemented Method" def can_manage_dataset( self, roles, dataset ): raise "Unimplemented Method" - def can_add_library_item( self, user, roles, item ): + def can_access_library( self, roles, library ): raise "Unimplemented Method" - def can_modify_library_item( self, user, roles, item ): + def can_add_library_item( self, roles, item ): raise "Unimplemented Method" - def can_manage_library_item( self, user, roles, item ): + def can_modify_library_item( self, roles, item ): + raise "Unimplemented Method" + def can_manage_library_item( self, roles, item ): raise "Unimplemented Method" def associate_components( self, **kwd ): raise 'No valid method of associating provided components: %s' % kwd @@ -61,12 +64,16 @@ raise "Unimplemented Method" def set_dataset_permission( self, dataset, permission ): raise "Unimplemented Method" - def set_all_library_permissions( self, dataset, permissions ): - raise "Unimplemented Method" def dataset_is_public( self, dataset ): raise "Unimplemented Method" def make_dataset_public( self, dataset ): raise "Unimplemented Method" + def set_all_library_permissions( self, dataset, permissions ): + raise "Unimplemented Method" + def library_is_public( self, library ): + raise "Unimplemented Method" + def make_library_public( self, library ): + raise "Unimplemented Method" def get_component_associations( self, **kwd ): raise "Unimplemented Method" def components_are_associated( self, **kwd ): @@ -93,50 +100,33 @@ def sa_session( self ): """Returns a SQLAlchemy session""" return self.model.context - def allow_dataset_action( self, roles, action, dataset ): + def allow_action( self, roles, action, item ): """ - Returns true when user has permission to perform an action on an - instance of Dataset. + Method for checking a permission for the current user ( based on roles ) to perform a + specific action on an item, which must be one of: + Dataset, Library, LibraryFolder, LibraryDataset, LibraryDatasetDatasetAssociation """ - dataset_actions = self.get_item_actions( action, dataset ) - if not dataset_actions: - return action.model == 'restrict' - ret_val = False - for dataset_action in dataset_actions: - if dataset_action.role in roles: - ret_val = True - break - return ret_val - def can_access_dataset( self, roles, dataset ): - return self.allow_dataset_action( roles, self.permitted_actions.DATASET_ACCESS, dataset ) - def can_manage_dataset( self, roles, dataset ): - return self.allow_dataset_action( roles, self.permitted_actions.DATASET_MANAGE_PERMISSIONS, dataset ) - def allow_library_item_action( self, user, roles, action, item ): - """ - Method for checking a permission for the current user to perform a - specific library action on a library item, which must be one of: - Library, LibraryFolder, LibraryDataset, LibraryDatasetDatasetAssociation - """ - if user is None: - # All permissions are granted, so non-users cannot have permissions - return False - # Check to see if user has access to any of the roles associated with action item_actions = self.get_item_actions( action, item ) if not item_actions: - # All permissions are granted, so item must have action - return False + return action.model == 'restrict' ret_val = False for item_action in item_actions: if item_action.role in roles: ret_val = True break return ret_val - def can_add_library_item( self, user, roles, item ): - return self.allow_library_item_action( user, roles, self.permitted_actions.LIBRARY_ADD, item ) - def can_modify_library_item( self, user, roles, item ): - return self.allow_library_item_action( user, roles, self.permitted_actions.LIBRARY_MODIFY, item ) - def can_manage_library_item( self, user, roles, item ): - return self.allow_library_item_action( user, roles, self.permitted_actions.LIBRARY_MANAGE, item ) + def can_access_dataset( self, roles, dataset ): + return self.allow_action( roles, self.permitted_actions.DATASET_ACCESS, dataset ) + def can_manage_dataset( self, roles, dataset ): + return self.allow_action( roles, self.permitted_actions.DATASET_MANAGE_PERMISSIONS, dataset ) + def can_access_library( self, roles, library ): + return self.library_is_public( library ) or self.allow_action( roles, self.permitted_actions.LIBRARY_ACCESS, library ) + def can_add_library_item( self, roles, item ): + return self.allow_action( roles, self.permitted_actions.LIBRARY_ADD, item ) + def can_modify_library_item( self, roles, item ): + return self.allow_action( roles, self.permitted_actions.LIBRARY_MODIFY, item ) + def can_manage_library_item( self, roles, item ): + return self.allow_action( roles, self.permitted_actions.LIBRARY_MANAGE, item ) def get_item_actions( self, action, item ): # item must be one of: Dataset, Library, LibraryFolder, LibraryDataset, LibraryDatasetDatasetAssociation return [ permission for permission in item.actions if permission.action == action.action ] @@ -393,6 +383,15 @@ for role_assoc in [ permission_class( action, library_item, role ) for role in roles ]: self.sa_session.add( role_assoc ) self.sa_session.flush() + def library_is_public( self, library ): + # A library is considered public if there are no "access" actions associated with it. + return self.permitted_actions.LIBRARY_ACCESS.action not in [ a.action for a in library.actions ] + def make_library_public( self, library ): + # A library is considered public if there are no "access" actions associated with it. + for lp in library.actions: + if lp.action == self.permitted_actions.LIBRARY_ACCESS.action: + self.sa_session.delete( lp ) + self.sa_session.flush() def get_library_dataset_permissions( self, library_dataset ): # Permissions will always be the same for LibraryDatasets and associated # LibraryDatasetDatasetAssociations @@ -407,9 +406,13 @@ permissions[ action ] = [ library_dataset_permission.role ] return permissions def copy_library_permissions( self, source_library_item, target_library_item, user=None ): - # Copy all permissions from source + # Copy all relevant permissions from source. permissions = {} for role_assoc in source_library_item.actions: + if role_assoc.action == self.permitted_actions.LIBRARY_ACCESS and \ + not( isinstance( source_library_item, galaxy.model.Libary ) and isinstance( target_library_item, galaxy.model.Libary ) ): + # LIBRARY_ACCESS is a special permission that is set only at the library level. + continue if role_assoc.action in permissions: permissions[role_assoc.action].append( role_assoc.role ) else: @@ -441,7 +444,7 @@ when it finds the first library_item that allows user to perform any one action in actions_to_check. """ for action in actions_to_check: - if self.allow_library_item_action( user, roles, action, library_item ): + if self.allow_action( roles, action, library_item ): return True, hidden_folder_ids if isinstance( library_item, self.model.Library ): return self.show_library_item( user, roles, library_item.root_folder, actions_to_check, hidden_folder_ids='' ) @@ -467,7 +470,7 @@ if isinstance( library_item, self.model.LibraryFolder ): if library_item.id not in hidden_folder_ids: for action in actions_to_check: - if self.allow_library_item_action( user, roles, action, library_item ): + if self.allow_action( roles, action, library_item ): showable_folders.append( library_item ) break for folder in library_item.active_folders: diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/tools/actions/__init__.py --- a/lib/galaxy/tools/actions/__init__.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/tools/actions/__init__.py Wed Jan 13 10:24:30 2010 -0500 @@ -51,7 +51,7 @@ trans.sa_session.add( assoc ) trans.sa_session.flush() data = new_data - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if data and not trans.app.security_agent.can_access_dataset( roles, data.dataset ): raise "User does not have permission to use a dataset (%s) provided for input." % data.id return data @@ -269,7 +269,7 @@ # parameters to the command as a special case. for name, value in tool.params_to_strings( incoming, trans.app ).iteritems(): job.add_parameter( name, value ) - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() for name, dataset in inp_data.iteritems(): if dataset: if not trans.app.security_agent.can_access_dataset( roles, dataset.dataset ): diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/tools/actions/upload_common.py --- a/lib/galaxy/tools/actions/upload_common.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/tools/actions/upload_common.py Wed Jan 13 10:24:30 2010 -0500 @@ -67,7 +67,7 @@ async_datasets = [] if params.get( 'async_datasets', None ) not in ["None", "", None]: async_datasets = params['async_datasets'].split(',') - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() for id in async_datasets: try: data = trans.sa_session.query( data_obj ).get( int( id ) ) @@ -82,7 +82,7 @@ else: rval.append( data ) elif data_obj is trans.app.model.LibraryDatasetDatasetAssociation: - if controller == 'library' and not trans.app.security_agent.can_add_library_item( user, roles, data.library_dataset.folder ): + if controller == 'library' and not trans.app.security_agent.can_add_library_item( roles, data.library_dataset.folder ): log.error( 'Got a precreated dataset (%s) but this user (%s) is not allowed to write to it' % ( data.id, user.id ) ) else: rval.append( data ) @@ -122,8 +122,8 @@ trans.sa_session.flush() return hda def new_library_upload( trans, uploaded_dataset, library_bunch, state=None ): - user, roles = trans.get_user_and_roles() - if not ( trans.app.security_agent.can_add_library_item( user, roles, library_bunch.folder ) \ + roles = trans.get_current_user_roles() + if not ( trans.app.security_agent.can_add_library_item( roles, library_bunch.folder ) \ or trans.user.email in trans.app.config.get( "admin_users", "" ).split( "," ) ): # This doesn't have to be pretty - the only time this should happen is if someone's being malicious. raise Exception( "User is not authorized to add datasets to this library." ) diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/tools/parameters/basic.py --- a/lib/galaxy/tools/parameters/basic.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/tools/parameters/basic.py Wed Jan 13 10:24:30 2010 -0500 @@ -1177,7 +1177,7 @@ field = form_builder.SelectField( self.name, self.multiple, None, self.refresh_on_change, refresh_on_change_values = self.refresh_on_change_values ) # CRUCIAL: the dataset_collector function needs to be local to DataToolParameter.get_html_field() def dataset_collector( hdas, parent_hid ): - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() for i, hda in enumerate( hdas ): if len( hda.name ) > 30: hda_name = '%s..%s' % ( hda.name[:17], hda.name[-11:] ) diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/web/controllers/dataset.py --- a/lib/galaxy/web/controllers/dataset.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/web/controllers/dataset.py Wed Jan 13 10:24:30 2010 -0500 @@ -192,7 +192,7 @@ data = data = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( dataset_id ) if not data: raise paste.httpexceptions.HTTPRequestRangeNotSatisfiable( "Invalid reference dataset id: %s." % str( dataset_id ) ) - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if trans.app.security_agent.can_access_dataset( roles, data.dataset ): if data.state == trans.model.Dataset.states.UPLOAD: return trans.show_error_message( "Please wait until this dataset finishes uploading before attempting to view it." ) @@ -298,7 +298,7 @@ if 'display_url' not in kwd or 'redirect_url' not in kwd: return trans.show_error_message( 'Invalid parameters specified for "display at" link, please contact a Galaxy administrator' ) redirect_url = kwd['redirect_url'] % urllib.quote_plus( kwd['display_url'] ) - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if trans.app.security_agent.dataset_is_public( data.dataset ): return trans.response.send_redirect( redirect_url ) # anon access already permitted by rbac if trans.app.security_agent.can_access_dataset( roles, data.dataset ): diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/web/controllers/library.py --- a/lib/galaxy/web/controllers/library.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/web/controllers/library.py Wed Jan 13 10:24:30 2010 -0500 @@ -21,28 +21,14 @@ params = util.Params( kwd ) msg = util.restore_text( params.get( 'msg', '' ) ) messagetype = params.get( 'messagetype', 'done' ) - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() all_libraries = trans.sa_session.query( trans.app.model.Library ) \ .filter( trans.app.model.Library.table.c.deleted==False ) \ .order_by( trans.app.model.Library.name ) - library_actions = [ trans.app.security_agent.permitted_actions.LIBRARY_ADD, - trans.app.security_agent.permitted_actions.LIBRARY_MODIFY, - trans.app.security_agent.permitted_actions.LIBRARY_MANAGE ] - # The authorized_libraries dictionary looks like: { library : '1,2' }, library : '3' } - # Its keys are the libraries that should be displayed for the current user and whose values are a - # string of comma-separated folder ids of the associated folders that should NOT be displayed. - # The folders that should not be displayed may not be a complete list, but it is ultimately passed - # to the browse_library() method and the browse_library.mako template to keep from re-checking the - # same folders when the library is rendered. - authorized_libraries = odict() + authorized_libraries = [] for library in all_libraries: - can_access, hidden_folder_ids = trans.app.security_agent.check_folder_contents( user, roles, library.root_folder ) - if can_access: - authorized_libraries[ library ] = hidden_folder_ids - else: - can_show, hidden_folder_ids = trans.app.security_agent.show_library_item( user, roles, library, library_actions ) - if can_show: - authorized_libraries[ library ] = hidden_folder_ids + if trans.app.security_agent.library_is_public( library ) or trans.app.security_agent.can_access_library( roles, library ): + authorized_libraries.append( library ) return trans.fill_template( '/library/browse_libraries.mako', libraries=authorized_libraries, default_action=params.get( 'default_action', None ), diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/web/controllers/library_common.py --- a/lib/galaxy/web/controllers/library_common.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/web/controllers/library_common.py Wed Jan 13 10:24:30 2010 -0500 @@ -234,11 +234,11 @@ messagetype = params.get( 'messagetype', 'done' ) folder = trans.sa_session.query( trans.app.model.LibraryFolder ).get( trans.security.decode_id( id ) ) if cntrller != 'library_admin': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() # See if we have any associated templates widgets = folder.get_template_widgets( trans ) if params.get( 'rename_folder_button', False ): - if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, folder ): + if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, folder ): old_name = folder.name new_name = util.restore_text( params.name ) new_description = util.restore_text( params.description ) @@ -295,10 +295,10 @@ msg=util.sanitize_text( msg ), messagetype='error' ) ) if cntrller == 'library': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if params.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form - if cntrller == 'library_admin' or trans.app.security_agent.can_manage_library_item( user, roles, folder ): + if cntrller == 'library_admin' or trans.app.security_agent.can_manage_library_item( roles, folder ): permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( int( x ) ) for x in util.listify( params.get( k + '_in', [] ) ) ] @@ -344,14 +344,14 @@ if isinstance( dbkey, list ): dbkey = dbkey[0] if cntrller == 'library': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() file_formats = [ dtype_name for dtype_name, dtype_value in trans.app.datatypes_registry.datatypes_by_extension.iteritems() if dtype_value.allow_datatype_change ] file_formats.sort() # See if we have any associated templates widgets = ldda.get_template_widgets( trans ) if params.get( 'change', False ): # The user clicked the Save button on the 'Change data type' form - if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, ldda ): + if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, ldda ): if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( params.datatype ).allow_datatype_change: trans.app.datatypes_registry.change_datatype( ldda, params.datatype ) trans.sa_session.flush() @@ -373,7 +373,7 @@ messagetype=messagetype ) elif params.get( 'save', False ): # The user clicked the Save button on the 'Edit Attributes' form - if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, ldda ): + if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, ldda ): old_name = ldda.name new_name = util.restore_text( params.get( 'name', '' ) ) new_info = util.restore_text( params.get( 'info', '' ) ) @@ -413,7 +413,7 @@ messagetype=messagetype ) elif params.get( 'detect', False ): # The user clicked the Auto-detect button on the 'Edit Attributes' form - if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, ldda ): + if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, ldda ): for name, spec in ldda.datatype.metadata_spec.items(): # We need to be careful about the attributes we are resetting if name not in [ 'name', 'info', 'dbkey' ]: @@ -435,7 +435,7 @@ widgets=widgets, msg=msg, messagetype=messagetype ) - if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, ldda ): + if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, ldda ): if "dbkey" in ldda.datatype.metadata_spec and not ldda.metadata.dbkey: # Copy dbkey into metadata, for backwards compatability # This looks like it does nothing, but getting the dbkey @@ -497,7 +497,7 @@ messagetype='error' ) ) lddas.append( ldda ) if params.get( 'update_roles_button', False ): - if cntrller=='library_admin' or ( trans.app.security_agent.can_manage_library_item( user, roles, ldda ) and \ + if cntrller=='library_admin' or ( trans.app.security_agent.can_manage_library_item( roles, ldda ) and \ trans.app.security_agent.can_manage_dataset( roles, ldda.dataset ) ): permissions = {} accessible = False @@ -623,10 +623,10 @@ replace_dataset = None upload_option = params.get( 'upload_option', 'upload_file' ) if cntrller == 'library': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if cntrller == 'library_admin' or \ - ( trans.app.security_agent.can_add_library_item( user, roles, folder ) or \ - ( replace_dataset and trans.app.security_agent.can_modify_library_item( user, roles, replace_dataset ) ) ): + ( trans.app.security_agent.can_add_library_item( roles, folder ) or \ + ( replace_dataset and trans.app.security_agent.can_modify_library_item( roles, replace_dataset ) ) ): if params.get( 'runtool_btn', False ) or params.get( 'ajax_upload', False ): # See if we have any inherited templates, but do not inherit contents. info_association, inherited = folder.get_info_association( inherited=True ) @@ -662,7 +662,7 @@ # Since permissions on all LibraryDatasetDatasetAssociations must be the same at this point, we only need # to check one of them to see if the current user can manage permissions on them. check_ldda = trans.sa_session.query( trans.app.model.LibraryDatasetDatasetAssociation ).get( ldda_id_list[0] ) - if trans.app.security_agent.can_manage_library_item( user, roles, check_ldda ): + if trans.app.security_agent.can_manage_library_item( roles, check_ldda ): if replace_dataset: default_action = '' else: @@ -949,8 +949,8 @@ # Since permissions on all LibraryDatasetDatasetAssociations must be the same at this point, we only need # to check one of them to see if the current user can manage permissions on them. check_ldda = trans.sa_session.query( trans.app.model.LibraryDatasetDatasetAssociation ).get( trans.security.decode_id( ldda_id_list[0] ) ) - user, roles = trans.get_user_and_roles() - if trans.app.security_agent.can_manage_library_item( user, roles, check_ldda ): + roles = trans.get_current_user_roles() + if trans.app.security_agent.can_manage_library_item( roles, check_ldda ): if replace_dataset: default_action = '' else: @@ -1040,9 +1040,9 @@ msg=util.sanitize_text( msg ), messagetype='error' ) ) if cntrller == 'library': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if params.get( 'edit_attributes_button', False ): - if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, library_dataset ): + if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, library_dataset ): if params.get( 'edit_attributes_button', False ): old_name = library_dataset.name new_name = util.restore_text( params.get( 'name', '' ) ) @@ -1081,9 +1081,9 @@ msg=util.sanitize_text( msg ), messagetype='error' ) ) if cntrller == 'library': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if params.get( 'update_roles_button', False ): - if cntrller == 'library_admin' or trans.app.security_agent.can_manage_library_item( user, roles, library_dataset ): + if cntrller == 'library_admin' or trans.app.security_agent.can_manage_library_item( roles, library_dataset ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): @@ -1204,7 +1204,7 @@ msg=util.sanitize_text( msg ), messagetype='error' ) ) seen = [] - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() for ldda_id in ldda_ids: ldda = trans.sa_session.query( trans.app.model.LibraryDatasetDatasetAssociation ).get( trans.security.decode_id( ldda_id ) ) if not ldda \ diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/web/controllers/requests.py --- a/lib/galaxy/web/controllers/requests.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/web/controllers/requests.py Wed Jan 13 10:24:30 2010 -0500 @@ -604,7 +604,7 @@ all_libraries = trans.sa_session.query( trans.app.model.Library ) \ .filter( trans.app.model.Library.table.c.deleted == False ) \ .order_by( trans.app.model.Library.name ) - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() actions_to_check = [ trans.app.security_agent.permitted_actions.LIBRARY_ADD ] libraries = odict() for library in all_libraries: diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/web/controllers/root.py --- a/lib/galaxy/web/controllers/root.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/web/controllers/root.py Wed Jan 13 10:24:30 2010 -0500 @@ -161,7 +161,7 @@ except: return "Dataset id '%s' is invalid" %str( id ) if data: - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if trans.app.security_agent.can_access_dataset( roles, data.dataset ): mime = trans.app.datatypes_registry.get_mimetype_by_extension( data.extension.lower() ) trans.response.set_content_type(mime) @@ -194,7 +194,7 @@ if data: child = data.get_child_by_designation( designation ) if child: - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if trans.app.security_agent.can_access_dataset( roles, child ): return self.display( trans, id=child.id, tofile=tofile, toext=toext ) else: @@ -211,7 +211,7 @@ if 'authz_method' in kwd: authz_method = kwd['authz_method'] if data: - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if authz_method == 'rbac' and trans.app.security_agent.can_access_dataset( roles, data ): trans.response.set_content_type( data.get_mime() ) trans.log_event( "Formatted dataset id %s for display at %s" % ( str( id ), display_app ) ) @@ -266,7 +266,7 @@ return trans.show_error_message( "Problem retrieving dataset." ) if id is not None and data.history.user is not None and data.history.user != trans.user: return trans.show_error_message( "This instance of a dataset (%s) in a history does not belong to you." % ( data.id ) ) - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() if trans.app.security_agent.can_access_dataset( roles, data.dataset ): if data.state == trans.model.Dataset.states.UPLOAD: return trans.show_error_message( "Please wait until this dataset finishes uploading before attempting to edit its metadata." ) diff -r 35d2a31cfbaf -r b10ae696a0e9 lib/galaxy/web/framework/__init__.py --- a/lib/galaxy/web/framework/__init__.py Tue Jan 12 16:49:02 2010 -0500 +++ b/lib/galaxy/web/framework/__init__.py Wed Jan 13 10:24:30 2010 -0500 @@ -524,13 +524,13 @@ self.sa_session.add( self.galaxy_session ) self.sa_session.flush() user = property( get_user, set_user ) - def get_user_and_roles( self ): + def get_current_user_roles( self ): user = self.get_user() if user: roles = user.all_roles() else: roles = [] - return user, roles + return roles def user_is_admin( self ): admin_users = self.app.config.get( "admin_users", "" ).split( "," ) return self.user and admin_users and self.user.email in admin_users diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/dataset/edit_attributes.mako --- a/templates/dataset/edit_attributes.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/dataset/edit_attributes.mako Wed Jan 13 10:24:30 2010 -0500 @@ -6,7 +6,7 @@ <%def name="stylesheets()"> ${h.css( "base", "autocomplete_tagging" )} </%def> -<% user, user_roles = trans.get_user_and_roles() %> +<% user_roles = trans.get_current_user_roles() %> <%def name="javascripts()"> ${parent.javascripts()} diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/browse_libraries.mako --- a/templates/library/browse_libraries.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/browse_libraries.mako Wed Jan 13 10:24:30 2010 -0500 @@ -20,9 +20,9 @@ </tr> </thead> <tbody> - %for library, hidden_folder_ids in libraries.items(): + %for library in libraries: <tr class="libraryRow libraryOrFolderRow" id="libraryRow"> - <td><a href="${h.url_for( controller='library_common', action='browse_library', cntrller='library', id=trans.security.encode_id( library.id ), hidden_folder_ids=hidden_folder_ids )}">${library.name}</a></td> + <td><a href="${h.url_for( controller='library_common', action='browse_library', cntrller='library', id=trans.security.encode_id( library.id ), hidden_folder_ids='' )}">${library.name}</a></td> <td><i>${library.description}</i></td> </tr> %endfor diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/browse_library.mako --- a/templates/library/common/browse_library.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/browse_library.mako Wed Jan 13 10:24:30 2010 -0500 @@ -16,12 +16,12 @@ <% if cntrller in [ 'library', 'requests' ]: - user, roles = trans.get_user_and_roles() - can_add = trans.app.security_agent.can_add_library_item( user, roles, library ) + roles = trans.get_current_user_roles() + can_add = trans.app.security_agent.can_add_library_item( roles, library ) if can_add: info_association, inherited = library.get_info_association() - can_modify = trans.app.security_agent.can_modify_library_item( user, roles, library ) - can_manage = trans.app.security_agent.can_manage_library_item( user, roles, library ) + can_modify = trans.app.security_agent.can_modify_library_item( roles, library ) + can_manage = trans.app.security_agent.can_manage_library_item( roles, library ) elif cntrller in [ 'library_admin', 'requests_admin' ]: info_association, inherited = library.get_info_association() @@ -162,8 +162,8 @@ if ldda == library_dataset.library_dataset_dataset_association: current_version = True if cntrller in [ 'library', 'requests' ]: - can_modify_library_dataset = trans.app.security_agent.can_modify_library_item( user, roles, library_dataset ) - can_manage_library_dataset = trans.app.security_agent.can_manage_library_item( user, roles, library_dataset ) + can_modify_library_dataset = trans.app.security_agent.can_modify_library_item( roles, library_dataset ) + can_manage_library_dataset = trans.app.security_agent.can_manage_library_item( roles, library_dataset ) else: current_version = False if current_version and ldda.state not in ( 'ok', 'error', 'empty', 'deleted', 'discarded' ): @@ -191,7 +191,7 @@ <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_display_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ) )}">View this dataset's information</a> %endif %if cntrller in [ 'library_admin', 'requests_admin' ] or can_manage_library_dataset: - <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_permissions', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=ldda.id, permissions=True )}">Edit this dataset's permissions</a> + <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_permissions', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), permissions=True )}">Edit this dataset's permissions</a> %endif %if cntrller in [ 'library_admin', 'requests_admin' ] or can_modify_library_dataset: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), replace_id=trans.security.encode_id( library_dataset.id ) )}">Upload a new version of this dataset</a> @@ -247,11 +247,11 @@ trans.app.security_agent.permitted_actions.LIBRARY_MANAGE ] ) if not can_show: return "" - can_add = trans.app.security_agent.can_add_library_item( user, roles, folder ) + can_add = trans.app.security_agent.can_add_library_item( roles, folder ) if can_add: info_association, inherited = folder.get_info_association( restrict=True ) - can_modify = trans.app.security_agent.can_modify_library_item( user, roles, folder ) - can_manage = trans.app.security_agent.can_manage_library_item( user, roles, folder ) + can_modify = trans.app.security_agent.can_modify_library_item( roles, folder ) + can_manage = trans.app.security_agent.can_manage_library_item( roles, folder ) elif cntrller in [ 'library_admin', 'requests_admin' ]: info_association, inherited = folder.get_info_association( restrict=True ) %> diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/common.mako --- a/templates/library/common/common.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/common.mako Wed Jan 13 10:24:30 2010 -0500 @@ -15,14 +15,14 @@ library_item_type = 'library_dataset_dataset_association' library_item_desc = 'library dataset' if cntrller == 'library': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() %> %if widgets: <p/> <div class="toolForm"> <div class="toolFormTitle">Other information about ${library_item_desc} ${library_item.name}</div> <div class="toolFormBody"> - %if editable and ( cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, library_item ) ): + %if editable and ( cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, library_item ) ): <form name="edit_info" action="${h.url_for( controller='library_common', action='edit_template_info', cntrller=cntrller, library_id=library_id, response_action=response_action, num_widgets=len( widgets ) )}" method="post"> <input type="hidden" name="library_item_id" value="${trans.security.encode_id( library_item.id )}"/> <input type="hidden" name="library_item_type" value="${library_item_type}"/> diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/folder_info.mako --- a/templates/library/common/folder_info.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/folder_info.mako Wed Jan 13 10:24:30 2010 -0500 @@ -4,7 +4,7 @@ <% if cntrller != 'library_admin': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() %> <br/><br/> @@ -21,7 +21,7 @@ <div class="toolForm"> <div class="toolFormTitle">Edit folder name and description</div> <div class="toolFormBody"> - %if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, folder ): + %if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, folder ): <form name="folder" action="${h.url_for( controller='library_common', action='folder_info', cntrller=cntrller, id=trans.security.encode_id( folder.id ), library_id=library_id )}" method="post" > <div class="form-row"> <label>Name:</label> diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/folder_permissions.mako --- a/templates/library/common/folder_permissions.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/folder_permissions.mako Wed Jan 13 10:24:30 2010 -0500 @@ -13,8 +13,9 @@ ${render_msg( msg, messagetype )} %endif -<% user, roles = trans.get_user_and_roles() %> +<% roles = trans.get_current_user_roles() %> -%if cntrller=='library_admin' or trans.app.security_agent.can_manage_library_item( user, roles, folder ): - ${render_permission_form( folder, folder.name, h.url_for( controller='library_common', action='folder_permissions', cntrller=cntrller, id=trans.security.encode_id( folder.id ), library_id=library_id ), roles )} +%if cntrller=='library_admin' or trans.app.security_agent.can_manage_library_item( roles, folder ): + ## LIBRARY_ACCESS is a special permission that is set only at the library level. + ${render_permission_form( folder, folder.name, h.url_for( controller='library_common', action='folder_permissions', cntrller=cntrller, id=trans.security.encode_id( folder.id ), library_id=library_id ), roles, do_not_render=[ 'LIBRARY_ACCESS' ] )} %endif diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/ldda_edit_info.mako --- a/templates/library/common/ldda_edit_info.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/ldda_edit_info.mako Wed Jan 13 10:24:30 2010 -0500 @@ -22,7 +22,7 @@ <% if cntrller == 'library': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() %> %if ldda == ldda.library_dataset.library_dataset_dataset_association: @@ -54,7 +54,7 @@ </select> </%def> -%if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, ldda.library_dataset ): +%if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, ldda.library_dataset ): <div class="toolForm"> <div class="toolFormTitle">Edit attributes of ${ldda.name}</div> <div class="toolFormBody"> diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/ldda_info.mako --- a/templates/library/common/ldda_info.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/ldda_info.mako Wed Jan 13 10:24:30 2010 -0500 @@ -8,7 +8,8 @@ current_version = True else: current_version = False - user, roles = trans.get_user_and_roles() + if cntrller == 'library': + roles = trans.get_current_user_roles() %> %if current_version: @@ -41,15 +42,15 @@ %if not library.deleted and not ldda.library_dataset.folder.deleted and not ldda.deleted: <a id="dataset-${ldda.id}-popup" class="popup-arrow" style="display: none;">▼</a> <div popupmenu="dataset-${ldda.id}-popup"> - %if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, ldda.library_dataset ): + %if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, ldda.library_dataset ): <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), id=trans.security.encode_id( ldda.id ) )}">Edit this dataset's information</a> %else: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_display_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), id=trans.security.encode_id( ldda.id ) )}">View this dataset's information</a> %endif - %if cntrller=='library_admin' or trans.app.security_agent.can_manage_dataset( roles, ldda.dataset ) and trans.app.security_agent.can_manage_library_item( user, roles, ldda.library_dataset ): + %if cntrller=='library_admin' or trans.app.security_agent.can_manage_dataset( roles, ldda.dataset ) and trans.app.security_agent.can_manage_library_item( roles, ldda.library_dataset ): <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_permissions', library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), id=trans.security.encode_id( ldda.id ) )}">Edit this dataset's permissions</a> %endif - %if current_version and ( cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, ldda.library_dataset ) ): + %if current_version and ( cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, ldda.library_dataset ) ): <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), replace_id=trans.security.encode_id( ldda.library_dataset.id ) )}">Upload a new version of this dataset</a> %endif %if cntrller=='library' and ldda.has_data: diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/ldda_permissions.mako --- a/templates/library/common/ldda_permissions.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/ldda_permissions.mako Wed Jan 13 10:24:30 2010 -0500 @@ -62,4 +62,5 @@ %endif <% ldda_ids = ",".join( [ trans.security.encode_id( d.id ) for d in lddas ] ) %> -${render_permission_form( lddas[0], name_str, h.url_for( controller='library_common', action='ldda_permissions', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( lddas[0].library_dataset.folder.id ), id=ldda_ids ), roles )} +## LIBRARY_ACCESS is a special permission that is set only at the library level. +${render_permission_form( lddas[0], name_str, h.url_for( controller='library_common', action='ldda_permissions', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( lddas[0].library_dataset.folder.id ), id=ldda_ids ), roles, do_not_render=[ 'LIBRARY_ACCESS' ] )} diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/library_dataset_info.mako --- a/templates/library/common/library_dataset_info.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/library_dataset_info.mako Wed Jan 13 10:24:30 2010 -0500 @@ -4,7 +4,7 @@ <% if cntrller=='library': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() %> %if library_dataset == library_dataset.library_dataset_dataset_association.library_dataset: @@ -24,7 +24,7 @@ ${render_msg( msg, messagetype )} %endif -%if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, library_dataset ): +%if cntrller=='library_admin' or trans.app.security_agent.can_modify_library_item( roles, library_dataset ): <div class="toolForm"> <div class="toolFormTitle">Edit attributes of ${library_dataset.name}</div> <div class="toolFormBody"> diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/library_dataset_permissions.mako --- a/templates/library/common/library_dataset_permissions.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/library_dataset_permissions.mako Wed Jan 13 10:24:30 2010 -0500 @@ -4,7 +4,7 @@ <% if cntrller == 'library': - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() %> %if library_dataset == library_dataset.library_dataset_dataset_association.library_dataset: @@ -24,11 +24,12 @@ ${render_msg( msg, messagetype )} %endif -%if trans.app.security_agent.can_manage_library_item( user, user_roles, library_dataset ): +%if trans.app.security_agent.can_manage_library_item( user_roles, library_dataset ): <% roles = trans.sa_session.query( trans.app.model.Role ) \ .filter( trans.app.model.Role.table.c.deleted==False ) \ .order_by( trans.app.model.Role.table.c.name ) %> - ${render_permission_form( library_dataset, library_dataset.name, h.url_for( controller='library_common', action='library_dataset_permissions', cntrller=cntrller, id=trans.security.encode_id( library_dataset.id ), library_id=library_id ), roles )} + ## LIBRARY_ACCESS is a special permission that is set only at the library level. + ${render_permission_form( library_dataset, library_dataset.name, h.url_for( controller='library_common', action='library_dataset_permissions', cntrller=cntrller, id=trans.security.encode_id( library_dataset.id ), library_id=library_id ), roles, do_not_render=[ 'LIBRARY_ACCESS' ] )} %endif diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/library_info.mako --- a/templates/library/common/library_info.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/library_info.mako Wed Jan 13 10:24:30 2010 -0500 @@ -4,7 +4,7 @@ <% if not trans.user_is_admin(): - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() %> <br/><br/> @@ -18,7 +18,7 @@ ${render_msg( msg, messagetype )} %endif -%if cntrller == 'library_admin' or trans.app.security_agent.can_modify_library_item( user, roles, library ): +%if cntrller == 'library_admin' or trans.app.security_agent.can_modify_library_item( roles, library ): <div class="toolForm"> <div class="toolFormTitle">Change library name and description</div> <div class="toolFormBody"> diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/library/common/library_permissions.mako --- a/templates/library/common/library_permissions.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/library/common/library_permissions.mako Wed Jan 13 10:24:30 2010 -0500 @@ -4,7 +4,7 @@ <% if not trans.user_is_admin(): - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() %> <br/><br/> @@ -18,7 +18,7 @@ ${render_msg( msg, messagetype )} %endif -%if trans.user_is_admin or trans.app.security_agent.can_manage_library_item( user, user_roles, library ): +%if trans.user_is_admin or trans.app.security_agent.can_manage_library_item( user_roles, library ): <% roles = trans.sa_session.query( trans.app.model.Role ) \ .filter( trans.app.model.Role.table.c.deleted==False ) \ diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/mobile/history/detail.mako --- a/templates/mobile/history/detail.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/mobile/history/detail.mako Wed Jan 13 10:24:30 2010 -0500 @@ -36,7 +36,7 @@ <div class="secondary"> ## Body for history items, extra info and actions, data "peek" - <% user, roles = trans.get_user_and_roles() %> + <% roles = trans.get_current_user_roles() %> %if not trans.user_is_admin() and not trans.app.security_agent.can_access_dataset( roles, data.dataset ): <div>You do not have permission to view this dataset.</div> %elif data_state == "queued": diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/mobile/manage_library.mako --- a/templates/mobile/manage_library.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/mobile/manage_library.mako Wed Jan 13 10:24:30 2010 -0500 @@ -3,13 +3,13 @@ <%namespace file="/dataset/security_common.mako" import="render_permission_form" /> <%namespace file="/library/common/common.mako" import="render_template_info" /> -<% user, roles = trans.get_user_and_roles() %> +<% roles = trans.get_current_user_roles() %> %if msg: ${render_msg( msg, messagetype )} %endif -%if trans.app.security_agent.can_modify_library_item( user, roles, library ): +%if trans.app.security_agent.can_modify_library_item( roles, library ): <div class="toolForm"> <div class="toolFormTitle">Change library name and description</div> <div class="toolFormBody"> @@ -49,7 +49,7 @@ </div> </div> %endif -%if trans.app.security_agent.can_manage_library_item( user, roles, library ): +%if trans.app.security_agent.can_manage_library_item( roles, library ): <% roles = trans.sa_session.query( trans.app.model.Role ) \ .filter( trans.app.model.Role.table.c.deleted==False ) \ diff -r 35d2a31cfbaf -r b10ae696a0e9 templates/root/history_common.mako --- a/templates/root/history_common.mako Tue Jan 12 16:49:02 2010 -0500 +++ b/templates/root/history_common.mako Wed Jan 13 10:24:30 2010 -0500 @@ -7,7 +7,7 @@ data_state = "queued" else: data_state = data.state - user, roles = trans.get_user_and_roles() + roles = trans.get_current_user_roles() %> %if not trans.user_is_admin() and not trans.app.security_agent.can_access_dataset( roles, data.dataset ): <div class="historyItemWrapper historyItem historyItem-${data_state} historyItem-noPermission" id="historyItem-${data.id}">