details: http://www.bx.psu.edu/hg/galaxy/rev/66fda01625f3 changeset: 3482:66fda01625f3 user: jeremy goecks <jeremy.goecks@emory.edu> date: Thu Mar 04 13:49:09 2010 -0500 description: Refactor page, history, workflow display code to use same security code as get() methods. diffstat: lib/galaxy/web/base/controller.py | 3 +-- lib/galaxy/web/controllers/history.py | 10 +++------- lib/galaxy/web/controllers/page.py | 10 +++------- lib/galaxy/web/controllers/workflow.py | 12 +++--------- 4 files changed, 10 insertions(+), 25 deletions(-) diffs (79 lines): diff -r 2e025a8d71d0 -r 66fda01625f3 lib/galaxy/web/base/controller.py --- a/lib/galaxy/web/base/controller.py Thu Mar 04 13:19:14 2010 -0500 +++ b/lib/galaxy/web/base/controller.py Thu Mar 04 13:49:09 2010 -0500 @@ -110,8 +110,7 @@ if check_accessible: # Verify accessible. if ( item.user != user ) and ( not item.importable ) and ( user not in item.users_shared_with_dot_users ): - raise "hi" - error( "%s is not accessible by current user" % item.__class__.__name__ ) + error( "%s is not accessible to current user" % item.__class__.__name__ ) return item class UsesHistoryDatasetAssociation: diff -r 2e025a8d71d0 -r 66fda01625f3 lib/galaxy/web/controllers/history.py --- a/lib/galaxy/web/controllers/history.py Thu Mar 04 13:19:14 2010 -0500 +++ b/lib/galaxy/web/controllers/history.py Thu Mar 04 13:49:09 2010 -0500 @@ -589,15 +589,11 @@ # Get history. session = trans.sa_session user = session.query( model.User ).filter_by( username=username ).first() - history_query_base = trans.sa_session.query( model.History ).filter_by( user=user, slug=slug, deleted=False ) - if user is not None: - # User can view history if it's importable or if it's shared with him/her. - history = history_query_base.filter( or_( model.History.importable==True, model.History.users_shared_with.any( model.HistoryUserShareAssociation.user==trans.get_user() ) ) ).first() - else: - # User not logged in, so only way to view history is if it's importable. - history = history_query_base.filter_by( importable=True ).first() + history = trans.sa_session.query( model.History ).filter_by( user=user, slug=slug, deleted=False ).first() if history is None: raise web.httpexceptions.HTTPNotFound() + # Security check raises error if user cannot access history. + self.security_check( trans.get_user(), history, False, True) # Get datasets. datasets = self.get_history_datasets( trans, history ) diff -r 2e025a8d71d0 -r 66fda01625f3 lib/galaxy/web/controllers/page.py --- a/lib/galaxy/web/controllers/page.py Thu Mar 04 13:19:14 2010 -0500 +++ b/lib/galaxy/web/controllers/page.py Thu Mar 04 13:49:09 2010 -0500 @@ -555,15 +555,11 @@ # Get page. session = trans.sa_session user = session.query( model.User ).filter_by( username=username ).first() - page_query_base = trans.sa_session.query( model.Page ).filter_by( user=user, slug=slug, deleted=False ) - if user is not None: - # User can view page if it's importable or if it's shared with him/her. - page = page_query_base.filter( or_( model.Page.user==trans.get_user(), model.Page.importable==True, model.Page.users_shared_with.any( model.PageUserShareAssociation.user==trans.get_user() ) ) ).first() - else: - # User not logged in, so only way to view page is if it's importable. - page = page_query_base.filter_by( importable=True ).first() + page = trans.sa_session.query( model.Page ).filter_by( user=user, slug=slug, deleted=False ).first() if page is None: raise web.httpexceptions.HTTPNotFound() + # Security check raises error if user cannot access page. + self.security_check( trans.get_user(), page, False, True) # Process page content. processor = _PageContentProcessor( trans, 'utf-8', 'text/html', self._get_embed_html ) diff -r 2e025a8d71d0 -r 66fda01625f3 lib/galaxy/web/controllers/workflow.py --- a/lib/galaxy/web/controllers/workflow.py Thu Mar 04 13:19:14 2010 -0500 +++ b/lib/galaxy/web/controllers/workflow.py Thu Mar 04 13:49:09 2010 -0500 @@ -169,15 +169,9 @@ # Get workflow. session = trans.sa_session user = session.query( model.User ).filter_by( username=username ).first() - workflow_query_base = trans.sa_session.query( model.StoredWorkflow ).filter_by( user=user, slug=slug, deleted=False ) - if user is not None: - # User can view workflow if it's importable or if it's shared with him/her. - stored_workflow = workflow_query_base.filter( or_( model.StoredWorkflow.importable==True, model.StoredWorkflow.users_shared_with.any( model.StoredWorkflowUserShareAssociation.user==trans.get_user() ) ) ).first() - else: - # User not logged in, so only way to view workflow is if it's importable. - stored_workflow = workflow_query_base.filter_by( importable=True ).first() - if stored_workflow is None: - raise web.httpexceptions.HTTPNotFound() + stored_workflow = trans.sa_session.query( model.StoredWorkflow ).filter_by( user=user, slug=slug, deleted=False ).first() + # Security check raises error if user cannot access workflow. + self.security_check( trans.get_user(), stored_workflow, False, True) # Get data for workflow's steps. self.get_stored_workflow_steps( trans, stored_workflow )