Hello John,

Thank you very much for the patch. It works now with the argument 'roles'.

I tested with the wrong role in order to be sure that it filters when the role is not the right one and it does get filtered :)

However, I need to add a few lines to the patch in order to avoid the use of this method without a defined role.

basically, the complete patch is: 

 
+        roles = payload.get("roles", None)
+        if roles:
+            roles = util.listify(roles)
+
+            def to_id_as_str(role):
+                role = role.replace("__at__", "@")
+                if "@" in role:
+                    role = str( trans.sa_session.query( trans.app.model.Role ).filter( trans.app.model.Role.table.c.name == role ).first().id )
+                else:
+                    role = str( trans.security.decode_id( role ) )
+                return role
+
+            payload["roles"] = map( to_id_as_str, roles )
+
+        else:
+            trans.response.status = 400
+            return "Missing required roles definition"


I don't know if you (could/want to) add this to your commit.

Thank you very much for your help.
--
Olivia

Le 06/01/14 16:53, John Chilton a écrit :
Hello Olivia,

Great, thanks for the clarification! It took me a little bit, but I
have caught up. First - you don't need to justify using bioblend over
the provided scripts in galaxy distribution. Anything non-trivial
should be using bioblend (if it weren't going to make me very
unpopular I would just delete scripts/api out of Galaxy).

There are a couple problems here - but the main one is simply that the
roles param is taking in something odd as an argument - namely the
unencoded integer id of the role as a string - it probably makes
perfect sense for the UI to deal with things this way but it doesn't
fit well with the API. Here
(https://github.com/jmchilton/galaxy-central/commit/11377929a679fb3391481e35227bcccd7e96a497.patch)
is a patch you can apply to Galaxy to make it work the way you are
trying to get it to work (allowing roles to take in a single role
name). Just apply that to Galaxy and I imagine your example will work
as is.

However, this is not "the right" way for it to work however so I am
not going to apply it Galaxy directly but it is a very isolated change
you can apply to your Galaxy instance if your comfortable with that.
In an ideal implementation - there are many different permission types
that should be exposed and the API should be consuming encoded role
ids (as obtained from /api/roles) - but the backend isn't implemented
for this first part and bioblend doesn't have a roles client for the
second.

I have created a Trello card for this feature: https://trello.com/c/qsQHnFlG.

Let me know if you have any additional questions or if this is unclear
in any way.

-John

On Sun, Jan 5, 2014 at 3:35 AM, Olivia Doppelt
<olivia.doppelt@pasteur.fr> wrote:

Hello again,
I just reminded a capital thing concerning the api script
library_upload_from_import_dir.py. Actually it only works for admin users.
simple users don't have the authorization to upload anything in their galaxy
library using this script. It is the main reason why we choose to user
bioblend.
--
Olivia


Le 04/01/14 22:10, Olivia Doppelt a écrit :


Le 03/01/14 15:44, John Chilton a écrit :

I am not sure I understand the problem. Can you clarify a few points:

Is bioblend letting users associate roles with data libraries that
they shouldn't be able to and the operation is succeeding -or- are you
trying to add roles and the operation is failing?

Dear John,

In our Galaxy instance, each user connecting to Galaxy has a library
associated to its user role which is created automatically as well as two
directories; one in the links directory corresponding to our
"user_library_import_dir" and one in an "output" directory to enable the
users to export their results from the instance.

The user directories are readable by Galaxy and by themselves (unix rights
are set using a root cron script)

For a project, we need to do basic galaxy stuff using either the API scripts
or bioblend api. We have tried both and bioblend is a little simpler to use.

Using the api script library_upload_from_import_dir.py, using a user api
key, only files from the user directory are "uploadable".

However, using bioblend function from libraries class
"upload_file_from_server", a user with its key can upload within its galaxy
library, the data of anyone.

#giOlivia.libraries.upload_file_from_server("OLIVIA_API_key","/xxxxxxx/links/otherUser@pasteur.fr/","F0045a9ffd77d1226")


To disable this, i'm trying to add an associate role when I launch the
upload_file_from_server command but I get an error.

giOlivia.libraries.upload_file_from_server("OLIVIA_API_key","/xxxxxxxx/links/olivia@pasteur.fr/",
"F0045a9ffd77d1226", roles='olivia@pasteur.fr')

and I get the following error:

Traceback (most recent call last):   File "<input>", line 1, in <module>
File
"/usr/local/lib/python2.7/dist-packages/bioblend-0.4.2_dev-py2.7.egg/bioblend/galaxy/libraries/__init__.py",
line 242, in upload_file_from_server     return self._do_upload(**vars)
File
"/usr/local/lib/python2.7/dist-packages/bioblend-0.4.2_dev-py2.7.egg/bioblend/galaxy/libraries/__init__.py",
line 190, in _do_upload     files_attached=files_attached)   File
"/usr/local/lib/python2.7/dist-packages/bioblend-0.4.2_dev-py2.7.egg/bioblend/galaxy/client.py",
line 71, in _post     r = self.gi.make_post_request(url, payload=payload,
files_attached=files_attached)   File
"/usr/local/lib/python2.7/dist-packages/bioblend-0.4.2_dev-py2.7.egg/bioblend/galaxyclient.py",
line 94, in make_post_request     r.status_code, body=r.text)     # @see
self.body for HTTP response body ConnectionError: Unexpected response from
galaxy: 500: <html>   <head><title>Internal Server Error</title></head>
<body>     <h1>Internal Server Error</h1>     <p>The server has either erred
or is incapable of performing the requested operation.
<br/> <!--  --></p>     <hr noshade>     <div align="right">WSGI
Server</div>   </body> </html>


If the API is producing an error message can you share that: in
particular this code is probably resulting in an error or some kind?

            elif roles:
                # Check to see if the user selected roles to associate
with the DATASET_ACCESS permission
                # on the dataset that would cause accessibility issues.
                vars = dict( DATASET_ACCESS_in=roles )
                permissions, in_roles, error, message = \
                    trans.app.security_agent.derive_roles_from_access(
trans, library.id, cntrller, library=True, **vars )
            if error:
                if cntrller == 'api':
                    return 400, message


the api does not produce any error when the api key corresponds to the user
which tries to import its own data.


Has your institute made modifications Galaxy to enforce this
constraint - ("it can't be possible that any user may upload any other
user's data in their Galaxy Data library")? Also is the thing you are
trying to do something that is working through the web ui but not
through the API, or have you only tried through the API?


I did a few tests yesterday, and to resume, it works as it should using the
api script but there is a problem using bioblend.
I'm not sure that roles are really needed here, i only thought that it could
guide galaxy (and bioblend) to not upload data that does not belong to user
(corresponding to the API key)

I looked at the sources, and my major doubt was that bioblend didn't pass
all the arguments but it does, everything is transmitted to galaxy do it
should work.

Tell me if you need more information. I'll look further on monday but i'm
kind of stuck.

Thank you for your help,

Cheers,

--
Olivia Doppelt-Azeroual, PhD
CIB - Institut Pasteur



On Fri, Jan 3, 2014 at 5:36 AM, Olivia Doppelt
<olivia.doppelt@pasteur.fr> wrote:

Hello to all,

I'm trying to use the function  "upload_file_from_server" from the galaxy
libraries api of Bioblend.

It's working correctly when i don't associate any role to the arguments.
However, in our architecture (Institut Pasteur, Paris) it can't be possible
that any user may upload any other user's data in their Galaxy Data library.

Thus, it is how ""upload_file_from_server" is working at the moment.

As I understand the problem, it doesn't come from Bioblend itself, as all
arguments (as well as roles) are well transmitted on the server side.

could somebody help me with that ?

Happy new Year !!! and Have a nice day,

--
Olivia Doppelt-Azeroual, PhD
Tel: 92 15
CIB - Institut Pasteur


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/




___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/



--
Olivia Doppelt-Azeroual, PhD
Tel: 92 15
CIB - Institut Pasteur



-- 
Olivia Doppelt-Azeroual, PhD
Tel: 92 15
CIB - Institut Pasteur